Several Polish banks have been hacked by unknown attackers. The threat is delivered sneakily, via a watering hole attack, whereby a trusted but compromised website redirects to a landing page (the Polish Financial Supervision Authority) boobytrapped with an exploit.
In a new blog post ESET deliver technical details of this, as-yet minimally documented, malware. Their key findings show:
- The website of the equivalent Mexican authority, Comisión Nacional Bancaria y de Valores (National Banking and Securities Commission), also served identical malicious redirects.
- If the exploit kit successfully delivers the intended malware, the malicious payload – a 64-bit console application – is executed on the victim’s computer.
- The encryption algorithm employed is quite a recent RC4-like stream cipher called Spritz (https://people.csail.mit.edu/rivest/pubs/RS14.pdf, 2014).
- The loader is protected by a commercial packer called Enigma Protector and the module is stored in an encrypted state, waiting for the loader to unleash it.
- In final stage of infection, the relatively large module (~730 kB) that contains the main features of the malware: to communicate with the C&C and receive orders from operators, injects itself into all running sessions on the compromised Windows system.
- There is only one encrypted URL stored in the module. Communication is encrypted.
Considering the artifacts in the code, ESET have concluded that this is neither some reuse of code existing long before these recent Polish banking attacks, nor a forgotten, discontinued project. Moreover, ESET have observed occurrences of malware resembling this example in the past few weeks.
The full technical details are available in the ESET blog: http://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/