Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Threat-landscape of Financial attacks
[Image: Logo_VT_Horizontal.png]

Financial institutions have been a traditional target for all kinds of attacks. We wanted to understand what kind of malware families have been used against them in recent cases and track their evolution. It is not easy, though, having details on artifacts used in such attacks.

Our approach was cross-checking OSINT data related to attacks targeting financial institutions with VirusTotal intelligence to shed some light on how these threats are evolving during 2022. We want to share some of the most interesting findings as well as providing some ideas on how you can use VirusTotal to track these attacks by yourself.

You can also check our recorded webinar here.

Top malware families

Starting from the collection of OSINT-obtained malware families used in attacks against financial institutions, we checked every family’s prevalence in VirusTotal based on the number of submissions in 2022. Submissions are an interesting metric to understand how spread a malware family is:

[Image: oC389qyylYp9HMVYN6I0j9OGre79Cp6XsZ8xVul8...=w565-h349]

It is worth noting that some of these “malware families” might be legitimate artifacts used by attackers, typically for lateral movement as part of their TTPs or preferred toolset.

Indeed, Remcos (also known as RemcosRAT) is a commercial product offered as a legitimate Remote Control utility which has been part of attackers’ toolsets since (at least) 2017. Some other top 15 malware families are deployed as part of the Golden Chicken malware as a service (MaaS): TerraRecon, Terra Loader, Terra Preter, TerraStealer, TerraTV and more_eggs. These have been used by multiple threat actors, mainly in targeted attacks against the financial sector. However, this can also be biased based on the OSINT publications used for this analysis.

Back to RemcosRAT, it can be frequently seen deployed in combination with an exploit [1,2,3]. To monitor fresh RemcosRAT samples linked with exploits, you can use the following query in VirusTotal Intelligence:

engines:remcosrat fs:2022-01-01+ type:peexe tag:exploit

When presented with a collection of samples after a search like the previous one, it is interesting to use the Commonalities Tool to find how many of these samples share characteristics such as vhash, contacted urls, domains and ip addresses. They also drop similar files and all samples use only 4 different compilation timestamps. Most likely, all of them are either part of the same campaign or part of a toolset/infrastructure heavily reused in different attacks.

[Image: udXGlM3ZuIFTLL-10YRu5qnjqZXjnvsaeU9HtFt-...vhcnRguEwQ]

Another idea is selecting the samples we are interested in and displaying them in VT Graph, which helps visualizing relationships, filtering them out and selecting additional IOCs.

In this example let’s say we are only interested in malicious domains, URLs and IP addresses contacted by these samples, which we can filter out using the right panel.

[Image: lfUtrgDqWLAwMbxUSN8yFlot7XRyhMEKqlMAfTf4...EOYmv5SWMA]

To obtain the list of IOCs we can right click and select "Download nodes''.
Continue Reading

Forum Jump:

Users browsing this thread: 1 Guest(s)
You have to register before you can post on our site.



Recent Posts
DVDFab UHD Copy + UHD Ripper [1 Year]
DVDFab UHD Copy h...ismail — 16:50
[Giveaway] Sticky Password Premium 1 Us...
Sticky Password Prem...ismail — 16:39
Perfect PDF 10 Premium [for PC]
  Soft Xpansion Pe...ismail — 16:37
The Command Palette is now available in ...
Microsoft Edge 106...harlan4096 — 10:45
Windows 11 2022 Update: performance issu...
Microsoft confirme...harlan4096 — 10:34

Today's Birthdays
avatar (35)DonaldSoM
Upcoming Birthdays
avatar (44)Michaelaceve
avatar (34)QuadirLigh
avatar (35)Mblippek
avatar (38)guerigGep
avatar (41)viecontAceve
avatar (46)wohnkwagVib
avatar (41)Michaelsen
avatar (34)armaMIZ
avatar (45)lambrnag
avatar (46)AlbertDig
avatar (46)beipHit
avatar (42)Wendigortup
avatar (35)Timothynet
avatar (38)MichaelHig
avatar (34)icebywiwy
avatar (42)Cameronreoxy
avatar (39)Eddiemek
avatar (38)BrendaRusia
avatar (44)maggiebz16
avatar (35)MarthaWes
avatar (44)vikgoMam
avatar (37)Michaelcrini

Online Staff
There are no staff members currently online.