Hackers Using Fake Swift Emails To Steal Bank Credentials
Hackers using fake Swift emails to deploy Adwind RAT, steal bank credentials in new phishing scam
"When it comes to an enterprise's financial accounts, the emotions rise even more," researchers explain
Hackers are using phony Swift emails to deploy the malicious Adwind remote access trojan and steal credentials iStock
Hackers are using malicious emails disguised as important Swift messages to spread the cross-platform remote access trojan (RAT) Adwind. According to Comodo Group's Threat Research Lab, the spam messages claim to contain important information regarding a "wire bank transfer to your designated bank account" from the Swift network, the global banking industry's payments messaging system.
The phishing email prompts users to review an attached document to check the details and make sure there are no discrepancies regarding the transfer.
The seemingly secure document, however, actually contains the Adwind malware that is capable of exfiltrating data from the infected computer, modifying the system registry and more.
Once a computer is infected, the malware modifies the system registry, spawns several processes and even checks for any antivirus software and anti-tools in an attempt to kill its processes.
"Additionally, the malware checks for the presence of forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network," researchers said.
"The malware also tries to disable the Windows restore option and turns off the User Account Control feature, which prevents installing a program without the actual user being aware."
Comodo researchers believe the campaign is likely an attempt at spying or a strategic "reconnaissance" action. The threat actors behind the phishing scam are likely using this attack to spy on users, collect data from the targeted enterprise network and endpoints and "prepare for the second phase of the cyberattack" with additional malicious software.
"Having the precise information about the enterprise, these cyberattackers can even create malware specifically adjusted to the target environment to bypass all defensive mechanisms of the enterprise and hit the heart of the target," the researchers said.
The attack, which began on 9 February, appears to have been launched from IPs based in the Netherlands, Cyprus and Turkey. The hackers have also used the email address - the domain for which does not exist.
"As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise's network,"
"When it comes to an enterprise's financial accounts, the emotions rise even more," researchers explain
Hackers are using phony Swift emails to deploy the malicious Adwind remote access trojan and steal credentials iStock
Hackers are using malicious emails disguised as important Swift messages to spread the cross-platform remote access trojan (RAT) Adwind. According to Comodo Group's Threat Research Lab, the spam messages claim to contain important information regarding a "wire bank transfer to your designated bank account" from the Swift network, the global banking industry's payments messaging system.
The phishing email prompts users to review an attached document to check the details and make sure there are no discrepancies regarding the transfer.
The seemingly secure document, however, actually contains the Adwind malware that is capable of exfiltrating data from the infected computer, modifying the system registry and more.
Once a computer is infected, the malware modifies the system registry, spawns several processes and even checks for any antivirus software and anti-tools in an attempt to kill its processes.
"Additionally, the malware checks for the presence of forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network," researchers said.
"The malware also tries to disable the Windows restore option and turns off the User Account Control feature, which prevents installing a program without the actual user being aware."
Comodo researchers believe the campaign is likely an attempt at spying or a strategic "reconnaissance" action. The threat actors behind the phishing scam are likely using this attack to spy on users, collect data from the targeted enterprise network and endpoints and "prepare for the second phase of the cyberattack" with additional malicious software.
"Having the precise information about the enterprise, these cyberattackers can even create malware specifically adjusted to the target environment to bypass all defensive mechanisms of the enterprise and hit the heart of the target," the researchers said.
The attack, which began on 9 February, appears to have been launched from IPs based in the Netherlands, Cyprus and Turkey. The hackers have also used the email address - the domain for which does not exist.
"As we see, cybercriminals more and more often use finance-related topics as a bait to make users download malware and infect an enterprise's network,"
Comments
Post a Comment