April 25, 2016 at 18:45Cybercriminals tried to commit the largest bank robbery
The famous British defense company BAE Systems , which is engaged in promising military developments, the aerospace industry, and information security, released the results of an analysis of a major cyber attack on a bank in Bangladesh, as a result of which attackers managed to compromise the famous international banking platform SWIFT and steal $ 81 million
( picture Reuters ) SWIFT
Platformcalled the heart of the global banking system, with its help banks around the world exchange information and serve payments. After the SWIFT software was compromised in a Bangladesh bank, hackers managed to log in to the system and send a request to an American bank to transfer a large amount to a bank in the Philippines. As a result of a well-planned cyber attack, hackers planned to transfer almost a billion dollars ($ 951 million) from bank accounts.
BAE Systems specialists published a minimal report on cyber attacks and information on publicly available samples of malicious tools (see table below). Another unique malware sample is at the company's disposal. It contains complex mechanisms for working with the local SWIFT Alliance Access software used in the victim’s system. These individual components are part of the spectrum of malicious tools that were used to conduct the cyber attack and send false instructions to the bank to complete the transaction. The tools are flexible enough, which makes it possible to use them for similar cyber attacks in the future.
Fig. Some of the malicious tools that were used in the cyber attack, as well as available on public services for the exchange of malware samples.(BAE Systems data)
According to BAE Systems, malicious files were created by one cybercriminal or a group of individuals, however, the most valuable file is the hash 525a8e3ae4e3df8c9c61f2a49e38541d196e9228, which contains the logic for working with SWIFT software.
Fig. The general scheme of compromise SWIFT. (BAE Systems data)
One can see that one of the main steps of a cyber attack is to compromise the server with the installed SWIFT Alliance Software. Further, this malicious program accesses the gpca.dat configuration file, which lists the patterns for searching for SWIFT messages that are necessary for attackers. After this, attackers can control messages processed by the server side of SWIFT messages.
The main goal is to gain control over SWIFT messages, in which the presence of certain text strings specified in the configuration file will be checked. The malicious program can extract the values of certain fields, such as transfer references, as well as SWIFT addresses for interacting with the system database from messages of interest to attackers. The obtained data field values are then used to remove information about certain transactions from the system or update balance data. This malware function worked in a cycle until 6 a.m. on February 6, 2016. This period was enough to steal money, which occurred two days before its end. A malicious tool was developed specifically for this purpose and shows a significant level of knowledge of SWIFT Alliance Access software, in addition,
The malware uses the following RC4 key to decrypt the contents of its configuration file.
Fig. The general scheme of a cyber attack. (BAE Systems data)
At the first stage, the malicious program lists all processes running on the server. If it detects the process into which the liboradb.dll library is loaded, it modifies its two bytes in memory at a specific offset. Modifications are made to two bytes with the original values 0x75 and 0x04 per instruction nop - 0x90 and 0x90. The two bytes indicated represent the conditional branch instruction JNZ (if not zero).
Fig. The original conditional jump instruction in the system library code. (BAE Systems data)
Fig. The conditional jump instruction corrected by two nop in the system library code. (BAE Systems data)
As a result of such a fix, the malicious program blocks an important check in the code of one of the functions of the liboradb.dll library, which allows attackers to successfully pass the check (validation) they need. The liboradb.dll library itself is a component of the already mentioned SWIFT's Alliance software from Oracle. The library is responsible for the following functions:
By modifying a local instance of SWIFT Alliance software, a malicious program gains the right to perform transactions on a SWIFT database through a victim’s network.
The malware monitors SWIFT Financial Application (FIN) messages by parsing the contents of * .prc and * .fal files from the following directories.
For more information see baesystemsai.blogspot.ru/2016/04/two-bytes-to-951m.html
All SWIFT messages from the directories below are also tracked.
Inside the messages, the following banking values of interest are searched.
Conclusion A
sample of malware analyzed by BAE Systems allows you to look inside the cybercriminal tool of a group of hackers who have well planned a cyber attack on the bank. Many parts of this puzzle are still not disclosed, for example, how attackers sent dummy requests for transactions, as well as how attackers managed to install malware into the system and compromise the computer network. No answer was found to the most important question: who is behind this cyberattack.
The main malicious tool from the above set of malware was developed specifically for this cyber attack on the specific infrastructure of the victim. It is also worth noting that this set will also allow attackers to carry out similar attacks on banks in the future. All financial institutions that use SWIFT Alliance Access in one way or another should take this case seriously and evaluate the security system they use.
Cybercriminals used methods of sweeping tracks in a compromised system in such a way as to go unnoticed, as well as to complicate the process of investigating a cyber attack. Such a significant lesson taught by cybercriminals is demonstrated by the fact that they are using increasingly sophisticated cyber attacks against various organizations. Cyber attacks are used to intrude intruders into the internal network of such organizations. As such threats develop, organizations, banks, and other network owners should keep up with the times to ensure the appropriate level of security for their network infrastructure.
( picture Reuters ) SWIFT
Platformcalled the heart of the global banking system, with its help banks around the world exchange information and serve payments. After the SWIFT software was compromised in a Bangladesh bank, hackers managed to log in to the system and send a request to an American bank to transfer a large amount to a bank in the Philippines. As a result of a well-planned cyber attack, hackers planned to transfer almost a billion dollars ($ 951 million) from bank accounts.
BAE Systems specialists published a minimal report on cyber attacks and information on publicly available samples of malicious tools (see table below). Another unique malware sample is at the company's disposal. It contains complex mechanisms for working with the local SWIFT Alliance Access software used in the victim’s system. These individual components are part of the spectrum of malicious tools that were used to conduct the cyber attack and send false instructions to the bank to complete the transaction. The tools are flexible enough, which makes it possible to use them for similar cyber attacks in the future.
Fig. Some of the malicious tools that were used in the cyber attack, as well as available on public services for the exchange of malware samples.(BAE Systems data)
According to BAE Systems, malicious files were created by one cybercriminal or a group of individuals, however, the most valuable file is the hash 525a8e3ae4e3df8c9c61f2a49e38541d196e9228, which contains the logic for working with SWIFT software.
Fig. The general scheme of compromise SWIFT. (BAE Systems data)
One can see that one of the main steps of a cyber attack is to compromise the server with the installed SWIFT Alliance Software. Further, this malicious program accesses the gpca.dat configuration file, which lists the patterns for searching for SWIFT messages that are necessary for attackers. After this, attackers can control messages processed by the server side of SWIFT messages.
The main goal is to gain control over SWIFT messages, in which the presence of certain text strings specified in the configuration file will be checked. The malicious program can extract the values of certain fields, such as transfer references, as well as SWIFT addresses for interacting with the system database from messages of interest to attackers. The obtained data field values are then used to remove information about certain transactions from the system or update balance data. This malware function worked in a cycle until 6 a.m. on February 6, 2016. This period was enough to steal money, which occurred two days before its end. A malicious tool was developed specifically for this purpose and shows a significant level of knowledge of SWIFT Alliance Access software, in addition,
The malware uses the following RC4 key to decrypt the contents of its configuration file.
4e 38 1f a7 7f 08 cc aa 0d 56 ed ef f9 ed 08 ef
Fig. The general scheme of a cyber attack. (BAE Systems data)
At the first stage, the malicious program lists all processes running on the server. If it detects the process into which the liboradb.dll library is loaded, it modifies its two bytes in memory at a specific offset. Modifications are made to two bytes with the original values 0x75 and 0x04 per instruction nop - 0x90 and 0x90. The two bytes indicated represent the conditional branch instruction JNZ (if not zero).
Fig. The original conditional jump instruction in the system library code. (BAE Systems data)
Fig. The conditional jump instruction corrected by two nop in the system library code. (BAE Systems data)
As a result of such a fix, the malicious program blocks an important check in the code of one of the functions of the liboradb.dll library, which allows attackers to successfully pass the check (validation) they need. The liboradb.dll library itself is a component of the already mentioned SWIFT's Alliance software from Oracle. The library is responsible for the following functions:
- reading the path to the Alliance database from the registry;
- activation of this database;
- backing up the database.
By modifying a local instance of SWIFT Alliance software, a malicious program gains the right to perform transactions on a SWIFT database through a victim’s network.
The malware monitors SWIFT Financial Application (FIN) messages by parsing the contents of * .prc and * .fal files from the following directories.
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcm \ in \
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcm \ out \
For more information see baesystemsai.blogspot.ru/2016/04/two-bytes-to-951m.html
All SWIFT messages from the directories below are also tracked.
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ in \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ out \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ unk \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ nfzp
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ nfzf
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ fofp
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ foff
Inside the messages, the following banking values of interest are searched.
«19A: Amount»
": Debit"
«Debit / Credit:»
«Sender:»
«Amount:»
«FEDERAL RESERVE BANK»
"D"
"C"
«62F:"
"60F:"
»60M:"
«62M:"
“Credit”
“Debit”
“64:”
“20: Transaction”
“90B: Price”
Conclusion A
sample of malware analyzed by BAE Systems allows you to look inside the cybercriminal tool of a group of hackers who have well planned a cyber attack on the bank. Many parts of this puzzle are still not disclosed, for example, how attackers sent dummy requests for transactions, as well as how attackers managed to install malware into the system and compromise the computer network. No answer was found to the most important question: who is behind this cyberattack.
The main malicious tool from the above set of malware was developed specifically for this cyber attack on the specific infrastructure of the victim. It is also worth noting that this set will also allow attackers to carry out similar attacks on banks in the future. All financial institutions that use SWIFT Alliance Access in one way or another should take this case seriously and evaluate the security system they use.
Cybercriminals used methods of sweeping tracks in a compromised system in such a way as to go unnoticed, as well as to complicate the process of investigating a cyber attack. Such a significant lesson taught by cybercriminals is demonstrated by the fact that they are using increasingly sophisticated cyber attacks against various organizations. Cyber attacks are used to intrude intruders into the internal network of such organizations. As such threats develop, organizations, banks, and other network owners should keep up with the times to ensure the appropriate level of security for their network infrastructure.