Banks warned that malware that hit Bangladesh central is heading their way

A special bespoke malware seems to the at the centre of a massive cyber-fraud resulting in the theft of millions of dollars from Bangladesh Bank

Hackers used custom malware to attack Bangladesh Bank
Hackers used custom malware to attack Bangladesh Bank

Customised malware that covers up fraudulent financial transactions may have been behind a plot to steal $81 million (£55 million) from Bangladesh Bank.

Banks and other financial institutions have been urged to remain vigilant after software used to access the SWIFT (Society for Worldwide Interbank Financial Telecommunication) system was compromised.

According to BAE Systems, it was discovered that malware targeting the SWIFT's Access Alliance software, changed code to alter a database recording the bank's activity. However, the findings don't reveal how the fraudulent orders were created or processed through the system.

The criminals tried to steal nearly a billion dollars from the bank. Most of these were blocked, but $81 million managed to get routed to accounts in the Philippines and diverted to casinos in the country. This money still remains missing.

The hack allowed criminals to delete outgoing transfer requests and intercept incoming ones. It also changed account balances to hide any wrongdoing from bank officials.

BAE Systems said malware called evtdiag was built specifically for the Bangladesh Bank's infrastructure and its copy of the SWIFT Alliance Access software.

“This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers' tracks as they sent forged payment instructions to make the transfers,” said Sergei Shevchenko, a researcher with BAE. “This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.”

He said that the malware registers itself as a service and operates within an environment running SWIFT's Alliance software suite, powered by an Oracle Database.

“The main purpose is to inspect SWIFT messages for strings defined in the configuration file,” he said. “From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts.”

In response, SWIFT said it was aware of the malware and this only affected client installations. If emphasised that its network and core messaging service had not been breached in any way.

“We understand that the malware is designed to hide the traces of fraudulent payments from customers' local database applications and can only be installed on users' local systems by attackers that have successfully identified and exploited weaknesses in their local security,” the organisation said in a statement.

It added that it would work with banks to spot anomalies in database records.

“However the key defense against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems – in particular those used to access SWIFT – against such potential security threats,” the statement said. “Such protections should be implemented by users to prevent the injection of malware into, or any misappropriation of, their interfaces and other core systems.”

Shevchenko said that banks should review security immediately.

“The wider lesson learned here may be that criminals are conducting more and more sophisticated attacks against victim organisations, particularly in the area of network intrusions (which has traditionally been the domain of the ‘APT' actor). As the threat evolves, businesses and other network owners need to ensure they are prepared to keep up with the evolving challenge of securing critical systems,” he said.

Rob Pollard, GM EMEA at iSight Partners, told SCMagazineUK.com that this incident “demonstrate the difficulty in maintaining security in a cooperative system, such as SWIFT, which relies on members to properly install, implement and operate secure network infrastructure.”

“Following these events, it is possible that the SWIFT cooperative will conduct more aggressive advisement services for member banks,” he said.

Jonathan Sander, VP of Product Strategy at Lieberman Software, told SC that BAE Systems “casually mentions in their reporting of the Bangladesh central bank incident that the attackers' original intent was to steal credentials”.

“Security experts have come to assume that attackers go after credentials first as their gateway to getting all the good stuff an organisation may have to steal, but everyday practitioners still seem stuck on firewalls and other security basics. Of course, these folks apparently had little to no firewall to speak of, but that only doubly highlights that with no wall to keep a bad guy out the first thing they're after when they get in are the credentials.”