Last week I tracked a story about attacks on Polish banks. What was interesting was that attackers came for the data, not the money. As well, the attack itself was described as sophisticated. Those reporting the story were concerned, and remarked that this was one of the most serious cyber attacks on banks Poland had suffered.
We know that cybercrime is actually one of the most efficient business models there is. The attackers have refined their tactics and techniques to maximize gain and minimize effort. Sophisticated involves time, money and effort – the purvue of nationstates usually, and the realm of APTs or Advanced Persistent Threats, like Stuxnet.
In this case, several polish banks reported they noticed unusual network activity, like traffic to “exotic” locations and encrypted executables that nobody knew of, and unauthorised files on key machines in the network. Further investigation confirmed malware infections.The attack was not a quick hit and run but sophisticated, gaining control over critical servers in the bank’s infrastructure:
“the malware used in this attack has not been documented before. It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available AV solutions. The final payload has the functionality of a regular RAT”
As of last Thursday, when I shared what I found, there was a suspicion infection stemmed from a tampered JS file from the webserver of the Polish financial sector regulatory body. today, it was confirmed. The site of the regulator for Polish banks was indeed contaminated with malware by some foreign source. The malware was responsible for data exfiltration, reconnaissance, and other undesirable activities. This is why we need to be paying close attention to what comes next:
This particular malware appears to be a new strain of nasty software which has never seen before in live attacks and has a zero detection rate on VirusTotal.
There is no confirmation as to who is responsible, or what data was taken. One year ago, Polish banks were hit by Goznym, in a series of targeted attacks. While this isn’t Goznym, we should be looking for patterns and ties. This serves are a major heads up. What are we seeing? Where aren’t we looking?