Security researchers have discovered a re-emerging international phishing campaign that delivers Ramnit Worm/Botnet malware targeting financial organisations in Asia which it believes is heading for the UK as well.
According to a new report by researchers at CyberInt, hackers disguise phishing email as part of an internal anti-fraud exercise designed to enhance corporate security. Once the fake email is opened by a member of staff, this then executes on the victim’s machine and a malicious file is installed on the corporate network without even the knowledge of the employee who opened the fake email.
The attacks, which have already started in the Philippines, use a known variant of Ramnit worm/botnet trojan. Further examination of the executable code by CyberInt has revealed that the code also deploys various anti-analysis techniques and also incorporates malware created to dynamically extract hidden code designed to protect the financial institution’s most sensitive data.
In addition to the malicious file execution, the fake email also includes a link to a malicious phishing website mimicking a personal detail form. A "verify my information" button seen in the email refers to a URL that lead victims to a phishing website that displays an authentic looking form for the user.
Investigation of the various C2 domains linked to the initial attacks in the Philippines used by the malware reveals a wide variety of domains using DGAs (Domain Generation Algorithm), that share a relationship with the same "registrant" name, "Denis Shlyapovich", potentially indicating that a gang based in Russia may be behind the attacks.
According to Jason Hill, CyberInt’s senior analyst, this is a "highly-sophisticated phishing campaign, potentially originating in Russia, has already targeted major financial institutions in Asia and now threatens banks in regions such as the UK and the US."
Edward Whittingham, managing director at The Defence Works, told SC Media UK that the absolute go-to behaviour needed to ensure users demonstrate, is not to click on the link.
"Hovering over the link to see the destination URL is always a good idea. By doing this, users can check out the true destination which will typically not reflect the actual brand that it pretends to be from, or it will be close, but misconfigured in some way," he said.
Stephen Gailey, head of solutions architecture at Exabeam, told SC Media UK that tacking on an Orchestration system (SOAR) would allow automated response to all emails identified by a UEBA system.
"This form of attack is actually really common and organisations which don’t have a robust defence against it, whatever the source or intent, are just waiting for the inevitable breach. No amount of training or staff awareness will help as one breach is generally all it takes. No amount of threat intelligence will get you ahead of every possible vector for this attack!" he said.
Tim Callan, senior fellow at Sectigo,said that organisations can adopt S/MIME email certificates in order to avoid falling victim to malicious phishing tactics. "Each S/MIME email certificate contains the sender's authenticated email address, giving the receiver the means to confirm that requests for wire transfers and information of any kind come from authorised parties," he told SC Media UK.