Odinaff: Trojan used in high level financial attacks

trojan targeting financial industry

trojan targeting financial industry

A previously undocumented Trojan dubbed Odinaff has been spotted attacking banks and other financial targets worldwide. Symantec had recently revealed that British banks were being targeted by two hacking groups looking to exploit security weaknesses in the Swift global payments system.

The group has been using the trojan which Symantec calls Trojan.Odinaff, against financial organizations worldwide since January. Odinaff attacks typically include the manipulation of SWIFT logs and the extensive use of hack tools. Symantec had found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. Currently, there is no indication that SWIFT network has been itself compromised.

The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. Currently, there is no indication that SWIFT network has been itself compromised.

However, the attacks look broader than the one that resulted in the theft of $81M from Bangladesh Bank in February, a sum that would have been much higher but for a typographical error and the diligence of a clerk at a correspondent bank.

Symantec has linked the Odinaff trojan with the Carbanak group, which is believed to be based in Russia and has targeted financial institutions since at least 2013. Specifically, it’s typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. Odinaff attacks also use some infrastructure that was previously used in Carbanak campaigns.

Once Odinaff is installed, custom malware tools, purpose-built for stealthy communications (including one dubbed Batel), network discovery, credential stealing and monitoring of employee activity are deployed.

In-depth story

Since January this year, subtle campaigns involving malware called Trojan.Odinaff has targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.

Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network.

These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

These attacks require a lot of hands-on involvement, with the methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks.

Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.

Although difficult to perform, these kinds of attacks on banks can be highly lucrative. Estimates of total losses to Carbanak-linked attacks range from tens of millions to hundreds of millions of dollars.

Global threat statistics

 Odinaff attacks by region

Figure 1 – Odinaff attacks by region

Attacks involving Odinaff appear to have begun in January 2016. The attacks have hit a wide range of regions, with the US the most frequently targeted. It was followed by Hong Kong, Australia, the UK and Ukraine.

Most Odinaff attacks were against financial targets. In attacks where the nature of the victim’s business was known, financial was by far the most frequently hit sector, accounting for 34 percent of attacks.

There were a small number of attacks against organizations in the securities, legal, healthcare, government and government services targets; however, it is unclear whether all of these were financially motivated.

Around 60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.

 

Figure 2. Odinaff attacks by sector

Figure 2. Odinaff attacks by sector

Initial point of attack

The Odinaff attackers use a variety of methods to break into the networks of targeted organizations. One of the most common methods of attack is through lure documents containing a malicious macro. If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer.

Another attack involves the use of password protected RAR archives, in order to lure the victims into installing Odinaff on their computers. Although Symantec has not seen how these malicious documents or links are distributed, we believe spear-phishing emails are the most likely method.

 Figure 3. Lure document containing instructions on how to enable Word macros.

Figure 3. Lure document containing instructions on how to enable Word macros.

Trojan.Odinaff has also been seen to be distributed through botnets, where the Trojan is pushed out to computers already infected with other malware, such as Andromeda (Downloader.Dromedan) and  Snifula (Trojan.Snifula).

In the case of Andromeda, this was bundled with a Trojanized installer for AmmyyAdmin, a legitimate remote administration tool. The Trojanized installer was downloaded from the official website, which has been targeted repeatedly in recent times to spread a number of different malware families.

Malware toolkit

Odinaff is a relatively lightweight backdoor Trojan which connects to a remote host and looks for commands every five minutes. Odinaff has two key functions: it can download RC4 encrypted files and execute them and it can also issue shell commands, which are written to a batch file and then executed.

Given the specialist nature of these attacks, a large amount of manual intervention is required. The Odinaff group carefully manages its attacks, maintaining a low profile on an organization’s network, downloading and installing new tools only when needed.

Trojan.Odinaff is used to perform the initial compromise, while other tools are deployed to complete the attack. The second piece of malware known as Batel (Backdoor.Batel) is used on computers of interest to the attackers. It is capable of running payloads solely in memory, meaning the malware can maintain a stealthy presence on infected computers.

The attackers make extensive use of a range of lightweight hacking tools and legitimate software tools to traverse the network and identify key computers. This include:

  • Mimikatz, an open source password recovery tool
  • PsExec, a process execution tool from SysInternals
  • Netscan, a network scanning tool
  • Ammyy Admin (Remacc.Ammyy) and Remote Manipulator System variants (Backdoor.Gussdoor)
  • Runas, a tool for running processes as another user.
  • PowerShell

The group also appears to have developed malware designed to compromise specific computers. The build times for these tools were very close to the time of deployment. Among them were components capable of taking screenshot images at intervals of between five and 30 seconds.

Evidence of attacks on SWIFT users

Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions.

They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised.

These “suppressor” components are tiny executables written in C, which monitors certain folders for files that contain specific text strings. Among the strings seen by Symantec are references to dates and specific International Bank Account Numbers (IBANs).

The folder structure in these systems seems to be largely user defined and proprietary, meaning each executable appears to be clearly tailored to for a target system.

One of the files found along with the suppressor was a small disk wiper which overwrites the first 512 bytes of the hard drive. This area contains the Master Boot Record (MBR) which is required for the drive to be accessible without special tools. We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigations.

These Odinaff attacks are an example of another group believed to be involved in this kind of activity, following the Bangladesh central bank heist linked to the Lazarus group. There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus and the SWIFT-related malware used by the Odinaff group bears no resemblance to Trojan.Banswift, the malware used in the Lazarus-linked attacks.

Possible links to Carbanak

The attacks involving Odinaff share some links to the Carbanak group, whose activities became public in late 2014. Carbanak also specializes in high-value attacks against financial institutions and has been implicated in a string of attacks against banks in addition to point of sale (PoS) intrusions.

Aside from the similar modus operandi, there are a number of other links between Carbanak and Odinaff:

  • There are three commands and control (C&C) IP addresses which have been connected to previously reported Carbanak campaigns.
  • One IP address used by Odinaff was mentioned in connection with the Oracle MICROS breach, which was attributed to the Carbanak group.
  • Backdoor.Batel has been involved in multiple incidents involving Carbanak.

Since Carbanak’s main Trojan, Anunak (Trojan.Carberp.B and Trojan.Carberp.D) was never observed in campaigns involving Odinaff, we firmly believe the group uses a number of discrete distribution channels to compromise financial organizations.

While it is possible that Odinaff is part of the wider organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group.

Banks increasingly in the crosshairs

The discovery of Odinaff indicates that banks are at a growing risk of attack. Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks. They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them.

When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.

Protection

Symantec and Norton products can detect these threats. The following links describes the in depth details of the attack vector and corresponding protection:

Antivirus

  • Trojan.Odinaff
  • Trojan.Odinaff!g1
  • Trojan.Odinaff!gm
  • Backdoor.Batel
  • Remacc.Ammyy
  • Backdoor.Gussdoor

Intrusion Prevention

  • System Infected: Trojan.Odinaff Activity

Bluecoat

Bluecoat products will:

  • Block offending network traffic
  • Detect and block the malware used as Backdoor.Batel & Trojan.Odinaff
  • Indicators of compromise

The following are examples of the various tools in use:

Odinaff droppers

  • f7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5
  • c122b285fbd2db543e23bc34bf956b9ff49e7519623817b94b2809c7f4d31d14

Odinaff document droppers

  • 102158d75be5a8ef169bc91fefba5eb782d6fa2186bd6007019f7a61ed6ac990
  • 60ae0362b3f264981971672e7b48b2dda2ff61b5fde67ca354ec59dbf2f8efaa

Odinaff samples

  • 22be72632de9f64beca49bf4d17910de988f3a15d0299e8f94bcaeeb34bb8a96
  • 2503bdaeaa264bfc67b3a3603ee48ddb7b964d6466fac0377885c6649209c098

SWIFT log suppressors

  • 84d348eea1b424fe9f5fe8f6a485666289e39e4c8a0ff5a763e1fb91424cdfb8

Backdoor.Batel RTF document dropper 

  • 21e897fbe23a9ff5f0e26e53be0f3b1747c3fc160e8e34fa913eb2afbcd1149f

Backdoor.Batel stagers

  • 001221d6393007ca918bfb25abbb0497981f8e044e377377d51d82867783a746
  • 1d9ded30af0f90bf61a685a3ee8eb9bc2ad36f82e824550e4781f7047163095a

Older Batel *.CPL droppers

  • 1710b33822842a4e5029af0a10029f8307381082da7727ffa9935e4eabc0134d
  • 298d684694483257f12c63b33220e8825c383965780941f0d1961975e6f74ebd

Cobalt Strike, possible ATM implants

  • 429bdf288f400392a9d3d6df120271ea20f5ea7d59fad745d7194130876e851e
  • 44c783205220e95c1690ef41e3808cd72347242153e8bdbeb63c9b2850e4b579

Cobalt Strike implants

  • 1341bdf6485ed68ceba3fec9b806cc16327ab76d18c69ca5cd678fb19f1e0486
  • 48fb5e3c3dc17f549a76e1b1ce74c9fef5c94bfc29119a248ce1647644b125c7

Backdoor.Batel loaders

  • 0ffe521444415371e49c6526f66363eb062b4487a43c75f03279f5b58f68ed24
  • 174236a0b4e4bc97e3af88e0ec82cced7eed026784d6b9d00cc56b01c480d4ed

Stagers (MINGW)

  • d94d58bd5a25fde66a2e9b2e0cc9163c8898f439be5c0e7806d21897ba8e1455
  • 3cadacbb37d4a7f2767bc8b48db786810e7cdaffdef56a2c4eebbe6f2b68988e

Disk wipers

  • 72b4ef3058b31ac4bf12b373f1b9712c3a094b7d68e5f777ba71e9966062af17
  • c361428d4977648abfb77c2aebc7eed5b2b59f4f837446719cb285e1714da6da

Keylogger

  • e07267bbfcbff72a9aff1872603ffbb630997c36a1d9a565843cb59bc5d97d90

Screengrabbers

  • a7c3f125c8b9ca732832d64db2334f07240294d74ba76bdc47ea9d4009381fdc
  • ae38884398fe3f26110bc3ca09e9103706d4da142276dbcdba0a9f176e0c275c

Command shells

  • 9041e79658e3d212ece3360adda37d339d455568217173f1e66f291b5765b34a
  • e1f30176e97a4f8b7e75d0cdf85d11cbb9a72b99620c8d54a520cecc29ea6f4a

HTTP Backconnect

  • b25eee6b39f73367b22df8d7a410975a1f46e7489e2d0abbc8e5d388d8ea7bec

Connection checkers

  • 28fba330560bcde299d0e174ca539153f8819a586579daf9463aa7f86e3ae3d5
  • d9af163220cc129bb722f2d80810585a645513e25ab6bc9cece4ed6b98f3c874

PoisonIvy loaders

  • 25ff64c263fb272f4543d024f0e64fbd113fed81b25d64635ed59f00ff2608da
  • 91601e3fbbebcfdd7f94951e9b430608f7669eb80f983eceec3f6735de8f260c

Ammyy Admin remote administration tools

  • 0caaf7a461a54a19f3323a0d5b7ad2514457919c5af3c7e392a1e4b7222ef687
  • 295dd6f5bab13226a5a3d1027432a780de043d31b7e73d5414ae005a59923130

Ammyy Admin, Trojanized

  • cce04fa1265cbfd61d6f4a8d989ee3c297bf337a9ee3abc164c9d51f3ef1689f

RemoteUtilities remote administration tools

  • 2ba2a8e20481d8932900f9a084b733dd544aaa62b567932e76620628ebc5daf1
  • 3232c89d21f0b087786d2ba4f06714c7b357338daedffe0343db8a2d66b81b51

Runas

  • 170282aa7f2cb84e023f08339ebac17d8fefa459f5f75f60bd6a4708aff11e20

Mimikatz

  • 7d7ca44d27aed4a2dc5ddb60f45e5ab8f2e00d5b57afb7c34c4e14abb78718d4
  • e5a702d70186b537a7ae5c99db550c910073c93b8c82dd5f4a27a501c03bc7b6

Kasidet

  • c1e797e156e12ace6d852e51d0b8aefef9c539502461efd8db563a722569e0d2
  • cee2b6fa4e0acd06832527ffde20846bc583eb06801c6021ea4d6bb828bfe3ba

 

Leave a Reply