Threat-landscape of Financial attacks

[harlan4096]

Financial institutions have been a traditional target for all kinds of attacks. We wanted to understand what kind of malware families have been used against them in recent cases and track their evolution. It is not easy, though, having details on artifacts used in such attacks.

Our approach was cross-checking OSINT data related to attacks targeting financial institutions with VirusTotal intelligence to shed some light on how these threats are evolving during 2022. We want to share some of the most interesting findings as well as providing some ideas on how you can use VirusTotal to track these attacks by yourself.

You can also check our recorded webinar here.

Top malware families

Starting from the collection of OSINT-obtained malware families used in attacks against financial institutions, we checked every family’s prevalence in VirusTotal based on the number of submissions in 2022. Submissions are an interesting metric to understand how spread a malware family is:



It is worth noting that some of these “malware families” might be legitimate artifacts used by attackers, typically for lateral movement as part of their TTPs or preferred toolset.

Indeed, Remcos (also known as RemcosRAT) is a commercial product offered as a legitimate Remote Control utility which has been part of attackers’ toolsets since (at least) 2017. Some other top 15 malware families are deployed as part of the Golden Chicken malware as a service (MaaS): TerraRecon, Terra Loader, Terra Preter, TerraStealer, TerraTV and more_eggs. These have been used by multiple threat actors, mainly in targeted attacks against the financial sector. However, this can also be biased based on the OSINT publications used for this analysis.

Back to RemcosRAT, it can be frequently seen deployed in combination with an exploit [1,2,3]. To monitor fresh RemcosRAT samples linked with exploits, you can use the following query in VirusTotal Intelligence:

engines:remcosrat fs:2022-01-01+ type:peexe tag:exploit

When presented with a collection of samples after a search like the previous one, it is interesting to use the Commonalities Tool to find how many of these samples share characteristics such as vhash, contacted urls, domains and ip addresses. They also drop similar files and all samples use only 4 different compilation timestamps. Most likely, all of them are either part of the same campaign or part of a toolset/infrastructure heavily reused in different attacks.



Another idea is selecting the samples we are interested in and displaying them in VT Graph, which helps visualizing relationships, filtering them out and selecting additional IOCs.

In this example let’s say we are only interested in malicious domains, URLs and IP addresses contacted by these samples, which we can filter out using the right panel.



To obtain the list of IOCs we can right click and select "Download nodes''.
....

Continue Reading