Several Polish banks are struggling to restore their systems back to normal in the wake of a massive malware attack that is reported to have been perpetrated by foreign hackers.
The malware infection is believed to have stemmed from the servers of the Polish financial regulator, the KNF, after their servers were compromised and used as carriers for the highly infectious malware.
At the time of reporting, over twenty Polish commercial banks had confirmed that the malware was present on their servers and workstations.
The massive scale of the infection resulted in the temporary shutdown of the entire KNF network while measures were put in place to eradicate the problem.
The JavaScript File on the KNF Website was laced with a Dangerous Remote Access Trojan
The malware was cleverly hidden in the website’s JavaScript file which, upon downloading, would alternatively trigger the download of an unknown file on the bank’s computer.
The Remote Access Trojan (RAT) would then be installed on the computer once the user executed the unknown file.
Local Polish news website Zaufana Trzecia Strona was the first to report about the vicious malware attack that left a good portion of Poland’s financial industry paralyzed.
According to the news site, the RAT that laced the JavaScript files was apparently a new Trojan strain, seeing as it could not be detected on VirusTotal.
Later reports divulged that KNF’s website had been hosting the malware for about a week before discovering its presence and taking measures to clean it.
New Strain of RAT could be used to carry out Various Exploits
Researchers from BadCyber admit that the malware has not been seen prior to this event.
They concluded that the aim of the hackers could be anyone’s guess, seeing that the malware could be used for a number of purposes such as data exfiltration and network reconnaissance.
According to BadCyber, who detected the infected JavaScript code after the website was taken offline, the malware program was cleverly hidden in an unknown file which force-downloaded itself automatically via a hidden iframe once the users accessed the website.
After downloading and installing itself to the computer, it connected the infected computers to several remote servers, after which the mysterious stream of outgoing traffic became apparent.
Researchers from BadCyber were confident that this was a classic strain of reconnaissance malware that had been tailored for this specific incident.
BadCyber was also the first cyber security firm to release file hashes that came with the threat in addition to the command-and-control IP addresses behind the Remote Access Trojan malware.
The fact that the malware was found to be undocumented in every major malware database is an indicator that it had been specifically engineered for use on the Polish banking system.
Although similar to various modern crimeware tools, the malware stands out in its numerous stages and layers of obfuscation that make it virtually undetectable by antivirus solutions.
Purpose of Malware Attack Still Unknown
Many of the affected banks have come out to reassure their clients that no funds were stolen in the attack despite the fact that there was a malware-induced encryption on their servers during the attack, which evidently prevented them from seeing any outgoing traffic.
The unidentified outgoing traffic remains the biggest question in this whole ordeal, since no funds have been reported missing as of yet.
Speculation that a foreign intelligence agency could be behind the elaborate attack is rife, although more than a few people believe this to be the work of a well-organized and resourceful crime syndicate.
The KNF has since cleaned up all traces of the malware on their website and the infected banks have followed suit.
Reports of the incident have already reached the desk of the Polish Computer Emergency Response Team (CERT) to acknowledge the existence, scope, and magnitude of the malware attack.
This one was a classic “watering hole attack”—a scenario in which malware is placed on a website that is frequented by the target—and going by the number of reports of infection, the attack made a notable impact.
Nevertheless, Polish banks are bracing for a larger and more devastating attack soon, given that the nature of this malware attack was reminiscent of network reconnaissance operations.