Top 5 Cyber Threats Targeting Banking and Financial Institutions (October 2023)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant threats that have recently targeted the banking and financial industry including Silent Skimmer campaigns exploiting internet-facing applications, BBTok banking malware targeting users of 40+ Latin American banks, Xenomorph banking trojan resurfacing with improved tactics, an advanced phishing campaign utilizing the EvilProxy phishing kit, and a new variant of Chaes malware striking financial and logistics customers.

1. Silent Skimmer campaign targets payment companies in APAC and NA

Silent Skimmer, a financially motivated threat actor, has been orchestrating an intricate web-skimming campaign for over a year. This campaign involves exploiting internet-facing applications by leveraging a .NET deserialization vulnerability and deploying an array of malicious tools to abscond with sensitive financial data from users. While the actor’s identity remains shrouded, indications point towards a Chinese hacker group. The campaign, initially concentrated in the APAC region, has extended its reach to North America, specifically targeting online businesses and organizations reliant on ASP.NET and IIS.

The attack begins by actively seeking and exploiting vulnerabilities in internet-facing applications, with an initial access point gained through exploits like CVE-2019-18935. Once inside, a malicious DLL (Dynamic Link Library) payload is delivered, kickstarting a chain of actions that enable the deployment of various malicious tools, including downloader and remote access scripts, webshells, exploits, and Cobalt Strike beacons. The final phase centers on extracting sensitive user data, particularly financial information, which is stealthily routed through Cloudflare to obfuscate the data’s origins and destination.

2. BBTok banking malware strikes Latin American banks

Security researchers recently uncovered a sophisticated cyber operation in Latin America involving a variant of the BBTok banking malware. This malware targets users of over 40 major banks in Mexico and Brazil, including Citibank, Scotibank, Banco Itaú, and HSBC. The attackers create counterfeit interfaces meticulously mirroring the genuine banking portals of these institutions, aiming to deceive users into divulging sensitive information like login credentials and two-factor authentication (2FA) codes.

To achieve this, the attackers utilize a custom server-side PowerShell script, generating tailored payloads for specific target banks. These payloads are distributed through phishing emails, which, when clicked, download malicious files adapted for the victim’s operating system, either in ZIP or ISO format. The attackers exhibit a deep understanding of their targets, differentiating their strategies for Windows 7 and Windows 10 systems. Notably, the presence of Portuguese language in the infrastructure, specifically within a database named “links.sqlite,” suggests a Brazilian connection, providing crucial context for identifying the threat actors.

3. The new variant of Xenomorph banking trojan targets 30+ banks

A recent campaign targeting Android users in the United States, Canada, Spain, Italy, Portugal, and Belgium involves an updated variant of the Xenomorph Android banking trojan. Xenomorph, initially detected in February 2022, is known for its overlay-based approach to capture personally identifiable information (PII), with features like an automated transfer system, multi-factor authentication (MFA) bypass, and the ability to target numerous banks. In this recent campaign, phishing pages trick users into downloading a malicious APK under the guise of a Chrome browser update.

Xenomorph has also introduced new features, including an anti-sleep function, a “mimic” mode, and “ClickOnPoint” capabilities. Analysts, gaining access to the malware operator’s infrastructure, discovered more malicious payloads, including Android malware variants, Windows information stealers, and a malware loader. The observation of Xenomorph being distributed alongside desktop stealers raises questions about potential connections between threat actors or its transition to a Malware-as-a-Service (MaaS) offering for use with other malicious software families.

4. EvilProxy phishing kit targets Microsoft users of banks and FIs

Cybersecurity experts have uncovered an advanced phishing campaign utilizing the EvilProxy phishing kit to exploit an open redirection vulnerability on Indeed.com, a popular job search platform. Targeting senior executives in sectors like Banking, Financial Services, Insurance, Property Management, and Manufacturing, the attackers exploit this vulnerability to harvest session cookies, potentially bypassing MFA systems. EvilProxy operates as a phishing-as-a-service platform, employing reverse proxies to facilitate communication between the target and the genuine online service, in this case, Microsoft.

When a user accesses their account via this phishing website, which mimics the authentic Microsoft login page, the threat actor can capture authentication cookies. Since users have already completed the necessary MFA steps during login, the acquired cookies provide cybercriminals with full access to the victim’s account. The recent attack represents the initial stage of a more extensive attack sequence that could result in serious outcomes, such as identity theft, intellectual property theft, and significant financial harm.

5. New Chaes malware variant targeting financials and logistics customers

The banking and logistics industries are facing a new and evolved malware variant called Chaes, which primarily targets e-commerce customers in Latin America, with a strong focus on Brazil, to steal sensitive financial information. Despite significant architectural changes, Chaes maintains a consistent delivery mechanism, deploying malicious files through compromised websites to establish communication with a command-and-control server. Chaes now extends its reach to target cryptocurrency transfers and instant payments via Brazil’s PIX platform, underlining its financial motivations.

Notably, Chaes has undergone a complete rewrite in Python, making it less conspicuous to conventional defense systems and enabling it to infiltrate target systems with a reduced risk of detection. The malware operates via a multi-module architecture, including a core module, “ChaesCore,” which establishes communication with the command-and-control server, and various other modules for post-compromise activities and data theft, such as credential stealing and browser data pilfering.

Key recommendations to combat cyber risks

• Monitor bank statements and transactions for any unauthorized or suspicious activities. Report any discrepancies to the bank promptly.
• Deploy advanced email filtering solutions that utilize machine learning and AI algorithms to detect and block phishing attempts.
• Protect web applications against common vulnerabilities like XSS and Cross-Site Request Forgery (CSRF) that can lead to session cookie theft.
• Keep all systems, applications, and plugins up to date with the latest security patches to minimize vulnerabilities.
• Download apps only from the official or reputable app stores. Avoid third-party app sources, as they often host malicious apps.
• Train employees to recognize phishing attempts and suspicious activities to reduce the likelihood of successful attacks.
• Review the permissions requested by apps before installation and avoid apps that request excessive or unnecessary access to the device.
• Implement robust security monitoring and detection mechanisms to identify suspicious activities on web servers and applications.
• Implement MFA and strong password policies, wherever possible, to enhance security of access.
• Stay updated on the tactics, techniques, and infrastructure used by cyber criminals by leveraging Indicators of Compromise (IOCs) provided by security researchers.