Top 5 Most Alarming Threats Targeting Payments Industry (April 2024)

At SISA, we understand the ever-evolving nature of cyber threats and the importance of staying one step ahead to protect your organization’s sensitive data and assets. Our dedicated team of experts is constantly monitoring various platforms, gathering intelligence, and analyzing the latest cyber threats to provide valuable insights into the latest cyber risks that can impact organizations.

This monthly post provides a condensed overview of the threats encountered throughout the month.

Our team brings to you five significant cyber threats that have recently been active with their targeted attacks on the payments industry worldwide, including the exploitation of Magento vulnerability to steal payment information, a decade-long threat ‘RUBYCARP’ targeting financial information, CoralRaider cybercrime group stealing financial data across Asia, Android banking trojan ‘Vultur’ resurfacing with enhanced capabilities, and Mispadu banking Trojan targeting financial institutions.

Read on to discover more… 

1. Magento vulnerability allows hackers to steal payment information

Cybercriminals are exploiting a critical vulnerability in Magento, identified as CVE-2024-20720, to implant a persistent backdoor into online retail platforms, enabling arbitrary code execution. Security analysts have uncovered a sophisticated method involving manipulated layout templates stored in the database, which automatically inserts malicious code for executing arbitrary commands. Attackers utilize the Magento layout parser in conjunction with the default-installed beberlei/assert package, triggering the injected code upon accessing ‘/checkout/cart,’ leading to the delivery of a Stripe payment skimmer to steal and transmit financial data.

Meanwhile, the Russian government has charged six individuals for employing skimmer malware to pilfer credit card details from foreign e-commerce platforms since late 2017. The arrests allegedly resulted from the illicit acquisition and subsequent sale of information related to nearly 160 thousand payment cards of foreign nationals through clandestine internet avenues. Adobe Commerce versions affected by this vulnerability include 2.4.6-p3, 2.4.5-p5, 2.4.4-p6, and earlier iterations, posing significant risks to online retailers.

2. ‘RUBYCARP’: A decade-long threat that steals financial information

A recent report has uncovered RUBYCARP, a Romanian cyber threat group maintaining a persistent botnet for over a decade, orchestrating crypto mining, DDoS, and phishing attacks. Managed through private IRC channels, the botnet comprises over 600 compromised servers. With a detection rate of only eight out of 39 variants recognized, RUBYCARP exhibits low visibility for its Perl-based shellbot payloads. They target financial information through various methods, including exploiting vulnerabilities like CVE-2021-3129 in Laravel applications, brute-force attacks against SSH servers, and credential dumps to compromise WordPress sites.

RUBYCARP’s activities encompass launching DDoS attacks, engaging in phishing for financial data from European entities such as Swiss Bank and Nets Bank, and deploying mining tools like NanoMiner and XMrig to exploit victims’ resources for mining cryptocurrencies like Monero and Ethereum. Despite not being the largest botnet operator, RUBYCARP’s decade-long evasion of detection underscores its sophistication, with implications of involvement in developing and selling cyber weapons, suggesting a substantial arsenal for conducting financial cyber operations.

3. Vietnam-based hackers steal financial data across Asia with malware

Security researchers have identified CoralRaider, a financially motivated cybercrime group believed to be based in Vietnam, targeting victims across Asia and Southeast Asia since at least May 2023. CoralRaider employs advanced malware such as RotBot, a customized variant of Quasar RAT, and XClient stealer to steal sensitive credentials, financial data, and social media accounts, particularly focusing on business and advertisement accounts. The group utilizes various other commodity malware like AsyncRAT, NetSupport RAT, and Rhadamanthys, demonstrating proficiency in their operations with Telegram communication channels and Vietnamese language elements integrated into their malware.

The attack vectors involve distributing Windows shortcut files (LNK) to initiate the execution of HTML application (HTA) files, followed by PowerShell commands to bypass security measures. RotBot establishes communication with a Telegram bot to deploy XClient stealer, which exfiltrates a wide range of sensitive information from web browsers and social media platforms, including Facebook business and advertisement account details. Additionally, a malvertising campaign on Facebook was also disclosed, leveraging the popularity of generative AI tools, disseminating information stealers like Rilide, Vidar, IceRAT, and Nova Stealer.

4. Vultur Android banking malware resurfaces with refined capabilities

The Android banking trojan Vultur has resurfaced with enhanced functionalities and sophisticated evasion tactics, as reported by security researchers. It now employs encrypted communication channels, dynamically decrypted payloads, and camouflage within seemingly legitimate applications. The infection cycle begins with a deceptive SMS alert, leading victims to a tampered version of the McAfee Security app containing the ‘Brunhilda’ malware dropper. Once installed, Vultur executes multiple payloads, exploiting Accessibility Services and establishing contact with the command-and-control server.

Retaining previous capabilities such as screen recording and keylogging, the latest version introduces expanded file management features and utilizes Accessibility Services for user interactions, while evading detection by blocking specific apps and overriding Keyguard to bypass lock screen security. Furthermore, it integrates encrypted communications and native code for payload decryption, augmenting evasion, and remote-control functionalities.

5. Mispadu banking Trojan targets Europe, thousands of credentials compromised

Mispadu, also known as URSA, has expanded its target range from Latin America and Spanish-speaking populations to include individuals in Italy, Poland, and Sweden. The ongoing campaign, dating back to April 2023, spans various sectors such as finance, services, automotive manufacturing, legal firms, and commercial establishments. Initially detected in 2019, Mispadu focused on Brazilian and Mexican financial institutions, utilizing deceptive tactics like fake pop-up windows for credential theft.

Leveraging a patched Windows SmartScreen security bypass flaw (CVE-2023-36025, CVSS score: 8.8) to target users in Mexico, the infection process involves invoice-themed emails with PDF attachments leading to the download of a ZIP archive containing an MSI installer or an HTA script. This initiates the retrieval and execution of a Visual Basic Script (VBScript) loader for the Mispadu payload, employing heavy obfuscation and Anti-VM checks to evade analysis and detection. The attacks utilize two distinct command-and-control (C2) servers for delivering payloads and exfiltrating stolen credentials from over 200 services.

Key recommendations to combat cyber risks: 

• Ensure timely installation of security patches and updates for all software and systems to mitigate known vulnerabilities exploited by malware.
• Implement multi-factor authentication (MFA) for admin access and other critical accounts to prevent unauthorized logins, even if passwords are compromised.
• Increase network monitoring and logging capabilities to detect unauthorized access attempts, brute-force attacks, or suspicious activities indicative of botnet activity.
• Conduct phishing awareness training for employees to educate them on recognizing and reporting phishing attempts.
• Deploy and maintain endpoint security solutions such as antivirus/anti-malware software, intrusion detection/prevention systems (IDS/IPS), and endpoint detection and response (EDR) tools to protect against botnet infections.
• Be wary of unsolicited SMS alerts or messages, especially those urging immediate action or containing suspicious links.
• Thoroughly review the permissions requested by applications during installation and grant access only to essential functionalities necessary for the intended purpose.
• Conduct a comprehensive assessment of existing cybersecurity measures and vulnerabilities within financial institutions.
• Segment networks to limit access to sensitive financial data and prevent lateral movement by attackers in case of a breach.