The latest cybersecurity trends, best practices, security vulnerabilities, and more
Taiwan Bank Heist and the Role of Pseudo Ransomware
By Trellix · October 12, 2017
Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States. Recent reports from Sri Lanka say that two individuals have been arrested for suspected money laundering after a tip-off from the Bank of Ceylon, which reported a suspicious transfer of $1.2 million from the Far Eastern International Bank.
On Saturday October 7, Far Eastern International Bank reported that it had recovered most of the money and that overall losses could reach $500,000.
How did the attack happen?
Based on the initial intelligence we have received, the first direct interaction with the victim began with spear phishing attacks that contained “backdoor” attachments.
Figures 1 and 2 provide some examples of the attachments.
When the victim clicks on the link, they are redirected to a malicious site that downloads additional files to the victim’s computer. One example of these malicious sites is hxxps://jobsbankbd.com/maliciousfilename.exe.
This site hosts another backdoor that gives the criminals access to the victim’s system in the bank.
Once the criminals gain access to the systems, our initial analysis reveals that the attackers harvested credentials. This was confirmed by evidence we found in a sample that contained the following credentials from the bank:
These credentials are used to create a scheduled task on the system and monitor the running of endpoint security services. (This does not indicate a problem with the security software, only that the attackers did their research and took measures to take out the security software being run within the bank.) We have notified the security provider, and have provided all of our research to date.
Besides the scheduled task and credentials, we discovered another interesting piece of code. Inside the sample was the resource “IMAGE,” which seemed to be a zip file. Once extracted, we found the file aa.txt. Although this appeared to be a text file, it was really an executable.
The file contains code that scans for the installed languages, especially:
- 419 (Russian)
- 422 (Ukrainian)
- 423 (Belarusian)
If these languages are detected, the file will not run. We have seen this behavior before in ransomware families.
When analyzing the strings of this particular file, we discovered some interesting ones:
- HERMES 2.1 TEST BUILD, press ok
When executed, the file proved to be ransomware. However, no note or wallpaper indicated that this was ransomware. After the file finished running, only one thing appeared on the desktop:
And in every directory a file:
The original Hermes ransomware note points toward this file; but in our case, we saw no note, nor demand for ransom. The Hermes ransomware family surfaced in February:
We suspect that this is another example of pseudo ransomware. Was the ransomware used to distract the real purpose of this attack? We strongly believe so.
Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.
Clearly this was a very carefully crafted attack, and specifically targeted at one bank. The attackers identified specific individuals to email, and understood the security measures being deployed. Although the samples we identified are now covered by our security products, we urge caution in anyone assuming that “I am protected.” The criminals took their time to understand how the bank works and developed the necessary code to enable them to steal millions. An effective security posture must anticipate such highly skilled attackers.
Because this is related an active law enforcement investigation, we are limiting what information we publicly share and will publish further updates only if that does not conflict with a current investigation.
Dec 7, 2023
Trellix Named 2023 Global Endpoint Security Company of the Year by Frost & Sullivan
Dec 4, 2023
Trellix Extends Virtual Intrusion Prevention System with AWS Gateway Load Balancer
Nov 28, 2023
Board Support Remains Critical as Majority of CISOs Experience Repeat Cyber Attacks
Nov 27, 2023
Trellix Announces Cybersecurity Generative AI Innovations Powered by Amazon Bedrock
Nov 22, 2023
Trellix Hosts Zero Trust Strategy Virtual Forum
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.