Odinaff: Trojan used in high level financial attacks has partners in crime

Posted on by Abhi Raj
Odinaff_hackers_are_smart
The Odinaff hacking group is not alone.

Odinaff is a naughty kind of Trojan.

For much of its existence, it has evaded any kind of documentation on part of security experts.

Now, it is attacking institutions such as banks and other financial facilities across the globe.

Symantec recently published a report which revealed that two groups of hackers targeted several British banks.

They did so by exploiting the many security vulnerabilities present in the Swift global payment system.

Symantec report also revealed that the hacking group used a specific kind of Trojan to carry out their attacks.

This Trojan is aptly named as Trojan Odinaff.

The hacking groups used it to attack financial organizations around the world.

They have done so since the beginning of the year in January.

What does Odinaff actually do?

Typical, Odinaff attacks consist of hackers manipulating SWIFT logs.

During the attack, hackers use a wide array of hacking tools.

Symantec also found out that the Odinaff hacking groups carried out similar attacks against many SWIFT users.

The group used a specific kind of malware which hid all customer record of SWIFT messages regarding fraudulent transactions.

Hackers used purpose-built tools which are designed in such a way that they allow hackers to monitor all customers’ local messages.

The local messages are stored in the form of logs.

Hackers also monitored these logs via specific keywords which related to only those transactions that interested these hackers.

After they had attained these logs, the hackers moved them out of the bank customers’ local SWIFT software environment.

With that said, right now security experts have not found any indication that hackers have compromised the SWIFT network.

But unlike some of the other cyber attacks, the one involving Odinaff looks to have a much wider impact radius.

Some think it has done more damage than the one that allowed hackers to get away with $81 million from a bank in Bangladesh back in February.

Here is the interesting part though:

The Bangladesh Bank heist could have turned out even worse for its customers if hackers had paid proper attention.

What?

Yes.

It turns out one of the hackers involved with the incident made a typographical error.

That error resulted in much less money in the hands of these hackers.

Of course, some clerks did they part really well at a corresponding bank as well.

As mentioned before, the Odinaff trojan is truly global.

Symantec also found evidence that hackers who used Odinaff to attack targets globally belonged to the Carbanak group.

This group of hackers, experts believe, is based in Russia.

Odinaff-and-Carbank-group-related
Odinaff specifically targets financial institutions

And this hacking group specializes in attacking financial institutions around the globe.

It has consistently done so since the year 2013.

This hacking group usually deploys the Odinaff trojan in the first phase of a given cyber attack.

It does so because hackers want to gain control of the network.

This also helps hackers provide a persistent presence for their attack.

Moreover, because of this, hackers get the ability to install additional hacking tools on the targeted network.

Odinaff attacks progress very similarly (using the same infrastructure) to the cyber attack campaign that Carbanak group carried out previously.

After hackers have installed Odinaff on the target network, then they can begin to perform the bulk of the work.

What does this work include?

It includes,

  • Deploying customer malware tools which are specifically designed to enable hackers to communicate in a stealthy manner.
    One of the tools is called Batel.
  • Ensuring network discovery
  • Stealing employee credentials
  • Monitoring employee activity

What Is The Inside Story On Odinaff?

AS mentioned before, the cyber attacks using Odinaff Trojan began in January this year.

These attacks used the malware to carry out subtle campaigns on many financial institutions around the world.

These attacks are different from typical cyber attacks because they are extremely focused.

They are focused on specific organizations which operate in specific industries such as,

  • Banking
  • Trading
  • Securities
  • Payroll sectors

Hackers also seem to attack industries which provide auxiliary support services to the bigger organizations operating in the above-mentioned categories.

All of this means that the hackers involved in such attacks are extremely sophisticated.

They use advanced hacking tools to plague the financial industry with malware.

And so far law enforcement agencies have not found a method to stop them.

The new Carbanak group is the most dangerous hacking group at the moment as far as the financial industries are concerned.

But now, new hackers are emerging who launch waves of cyber attacks in a fashion not so different from the previous Carbanak campaigns.

In other words, these attacks use the same infrastructure.

The reason why we say that the hackers involved in these attacks are professionals is because of the complexity involved in the whole process.

These type of cyber attacks require the hacker to go through a lot of labor.

It’s really hands-on, in other words.

Hackers methodically deploy a wide array of lightweight back doors.

Then they use those purpose-built hacking tools on computers which belong to the targeted individual or organization.

Hackers appear to have invested heavily in areas such as operation, deployment, development, and coordination.

As mentioned before, all of these tasks require specialized tools.

Hackers have learned how to use these tools and are now using it to launch more attacks.

As you can probably imagine, such cyberattacks are difficult to properly perform.

So why do hackers do it?

Hackers do it because the financial sector is a highly lucrative target.

The Carbanak campaign made off with millions of dollars (some say hundreds of millions) because of their cyber attack methods.

And all of that revenue came from the losses of these banks.

Global Cyber Threat Statistics.

Odinaff-group
Most of the Odinaff related attacks have banks as their main target.

As mentioned before, Odinaff attacks have picked up the pace since the start of the year (January 2016).

These cyber attacks have targeted various regions around the globe.

Most of the time though, they target organizations that are based in the US.

After the US, hackers like to attack companies based in,

  • Hong Kong
  • Ukraine
  • The UK
  • Australia

We must remember the fact that Odinaff attacks primarily target the financial industry.

This means another thing:

Hackers know the victim’s business before carrying out the attack.

But of course, there are situations where hackers don’t know such information.

When they do, reports have found, they like to go after people who work in the financial security.

The finance industry is one the top of the list when it comes to cyber attacks involving Odinaff.

It made up 34 percent of all Odinaff attacks.

Hackers also target a relatively small number of other organizations who work in,

  • The securities industry
  • Legal side
  • Healthcare
  • Government service
  • government

All of the above-mentioned sectors are possible targets.

But it is still not clear if hackers behind these attacks have financial motivations.

Speaking from an overall perspective, about 60 percent of the cyber attacks involved hackers who did not know the business sector of their victims.

But, hackers did know that these businesses used computer machines which had financial software applications installed on them.

That indicates that hackers did have financial motivations.

The Initial Point of Attack

Odinaff hackers are different.

They are different because they use a wide variety of methods to hack networks which belong to their targeted organizations.

So what’s the most common method of attack?

The most common method involves a document that lures the victim into opening a file that contains a malicious macro.

Hackers then bet on the recipient to have enabled macros on his/her machine.

If the victim has, then the macro will go right ahead and install the Odinaff Trojan on the victim’s machine.

Another form of attack uses password protected .rar archives.

Hackers use these to tempt victims into installation the cursed Trojan Odinaff.

After the Odinaff Trojan is installed on the victim’s machine, the result is the same as before.

The Symantec report did not share details about how the malicious links or documents are distributed.

Some experts believe that hackers use spear-phishing emails to carry out such tasks.

Hackers have also used botnets to distribute the Odinaff Trojan.

In such type of attacks, hackers push the Trojan to computers which are already infected with other types of malware.

Most of the times, these malware take the form of Andromeda (Downloader.Dromedan) and Snifula(Trojan.Snifula).

When hackers use Andromeda, they usually bundle it with a Trojanized installer for tools such as AMmyAdmin.

AmmyAdmin is a popular and legitimate remote administration tool.

Reports indicate the victim actually downloaded the Trojanized installer from the official website of the legitimate installer.

This should come as a surprise to no one.

Hackers have long targeted official websites in order to spread tons of other malware families as well.

What Do You Expect In A Malware Toolkit?

You can expect Odinaff.

Let’s discuss Odinaff from another perspective.

Consider Odinaff as a lightweight (relatively speaking) backdoor Trojan.

This Trojan tries to connect to a remote host.

Then it searches for relevant commands after a fixed period of time. Like every five minutes or so.

Odinaff performs two critical functions:

First, it is able to download RC4 encrypted files

Second, it can execute them and then issue shell commands if necessary.

These shell commands are usually written onto a batch file.

Then they are executed.

As mentioned before, these type of attacks are highly specialized.

And because of that, hackers need to input a lot of manual intervention.

With that, these attacks cannot move into their execution phase.

Hackers who use Odinaff as their main weapon, the Odinaff group, have to carefully manage their attacks.

They have to maintain a low profile on their victim organization’s network.

Moreover, they also have to make sure that they download and install news tools only when necessary.

To carry out the initial compromise, hackers use the Trojan.Odinaff.

Hackers do use other tools to take the cyber attack to its completion phase but we won’t discuss them here.

The second most important piece of malware that hackers use if Batel (Backdoor.Batel).

Hackers use this only on computers in which they are interested in.

This tool allows them to run payloads via memory only.

This means the malware can easily maintain a stealthy presence and keep computers infected.

As mentioned earlier as well, hackers are not afraid to use as many tools as required to get the job done.

Most of their hacking tools are lightweight tools.

They also use legitimate software tools in order to traverse the victim’s network.

This also helps them to identify key computer machines.

Some of the tools Odinaff hackers use are as follows,

  • MimiKatz. A password recovery tool.
    It is open source.
  • PsExec, this tool is used for process execution.
    It is developed by SysInternals.
  • Netscan.
    As the name suggests, it is a network scanning tool
  • Ammyy Admin (REmacc.Ammyy)
  • Remote Manipulator System variants as well such as Backdoor.Gussdoor
  • Powershell
  • Runas. A special tool for running processes but as another user.

The Odinaff group also makes use malware which it has designed and developed to compromise particular kind of machines.

Reports published in the media have found out that hackers kept the build times of these tools very close to deployment time.

Some of these tools had specific components which helped hackers to take screenshots after fixed intervals of time.

The interval lasted from 5 to 30 seconds.

How Do We Know Hackers Attacked SWIFT Users?

Odinaff-hackers
Banks are increasingly becoming hacking targets. And there is a sound reason for it.

We CAN know that by studying the tools hackers used to hack victims.

Hackers also made use of suppressor components in their tools.

What are suppressor components?

These are basically tiny executables.

They are mostly written in C.

Additionally, they can monitor certain folders for specific files that contain particular text strings.

Symantec revealed that it saw strings related to the following categories,

  • Dates
  • International Bank Account Numbers (IBANs)

It also seems that the user is the one who defined the folder structure in these systems.

And that folder structure is proprietary.

What does that mean?

That means each executable is tailored to a specific system.

Symantec also found files related to a small disk wiper along with the suppressor.

The small disk wiper basically overwrites the initial 512 bytes of a victim’s hard drive.

This is the area that houses the Master Boot Record or MBR.

Without the MBR, no one can access the drive without the use of special tools.

Hackers use the small disk wiper tools to cover their tracks.

Why would hackers do that?

Because at some point they have to abandon the system.

And of course, hackers want to thwart law enforcement agencies from further investigations.

Now, there are several hacking groups who carry out Odinaff attacks in this manner.

One of these groups is the Lazarus group.

This group has gained a lot of attention since the Bangladesh central bank heist.

Right now, investigators have not found enough evidence to link Odinaff attacks with SWIFT environment attacks.

As mentioned before, security experts have attributed the SWIFT environment attacks to the Lazarus group.

While they have blamed the Odinaff group for the SWIFT-related malware attacks.

They have also revealed Odinaff-used malware in SWIFT attacks had no resemblance to Trojan.Banswift.

Trojan.Banswift is the malware the Lazarus group (allegedly) in its SWIFT attacks.

What About Links To The Carbanak Group?

Some believe that the Odinaff groups attacks did have some links to the Carbanak group.

The Carbanak group rose to prominence in 2014 when its activities drew public attention.

The Carbanak group,  just like the Odinaff group, specializes in attacks against the financial sector because of its high-value nature.

Authorities have also implicated the Carbanak group in a strong o cyber attacks against several banks.

And that is in addition to where the Carbanak Group has been implicated in many point of sale intrusions.

It should be clear enough now that Carbanak and Odinaff have similar modus operandi.

But there are other similarities as well.

Like,

  • Previous reported Carbanak attack campaigns have used the same three command and control IP addresses as the Odinaff attacks
  • Hackers used the same C&C IP address in the Oracle MICROS breach. Authorities had previously attributed the same IP address to the Carbanak group as well.
  • Hackers have used Backdoor.Batel in many attacks which have involved the Carbanak Group.

Authorities have not observed the use of Anunak (Trojan.Carberp.B as well as Trojan.Carberp.D), Carabanak’s primary Trojan, in any Odinaff campaigns.

Hence some believe the group routinely uses multiple discrete distribution channels.

It uses them to compromise multiple financial organizations.

It is entirely possible that Odinaff is just a small part of a larger organization.

But the infrastructure crossover is more or less atypical.

This gives the impression that two hacking groups are cooperating with each other.

Of course, that is just speculation.

Security experts need more time to come up with concrete conclusions.

Hackers Will Target More Banks

While it is great that security experts have discovered Odinaff, it leads us to the following observation:

Hackers will target more banks because banks are more vulnerable and are of course profitable.

Cyber criminals have shown an immense and deep knowledge about how internal financial systems work.

This puts banks are a risky situation.

And perhaps hackers know this and increasingly carry out more attacks against banks.

Hackers have also learned that most banks have invested in a diverse range of financial systems.

Now it looks like they have spent quite a bit of time studying these systems.

In other words, hackers know how banks work and how bank employees operate their bank’s financial systems.

Couple that with a hacking group with a high level of hacking skills, and you have an entity that poses a monstrous threat to organizations all over the world including banks.

Is There A Form Of Protection?

Most Norton and Symantec products are capable of detecting such attacks.

If you want to learn more about the details of these attack vector and the related protection against them then search the terms below in your favorite search engine.

Antivirus

  • Backdoor.Batel
  • Remacc.Ammyy
  • Trojan.Odinaff!g1
  • Backdoor.Gussdoor
  • Trojan.Odinaff
  • Trojan.Odinaff!gm

Intrusion Prevention

  • System Infected: Trojan.Odinaff Activity

Bluecoat

Blue Coat products are great when it comes to blocking abusive network traffic.

They can also detect and then block different types of malware.
Especially the ones that are like Trojan.Odinaff and Backdoor.Batel.

Most of Bluecoat products can also indicate if hackers have compromised a given machine or network.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.