Malware News New Odinaff Trojan Targeting Banking Sector Linked to Carbanak Gang

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Symantec has discovered evidence that a new trojan that's predominantly targeting the banking sector has ties with Carbanak, a cybercrime gang responsible for stealing more than $1 billion from 100 banks across 30 countries in 2013 and 2014.

Identified for the first time in January 2016, this new trojan, named Odinaff, has been discovered on compromised networks of various companies activating mainly in the banking sector, but also the securities, trading, and payroll verticals.

While Symantec says it found the trojan on computers in companies activating in various industries, almost all computers ran financial software applications, showing the group's penchant for financially-motivated attacks.

Odinaff spread via malicious docs
Symantec says the crooks use spear-phishing emails, targeting selected individuals with carefully crafted emails that contain malicious Word documents.

These booby-trapped documents help the crooks install the Odinaff malware, which according to researchers, is a relatively simple tool.

Researchers say the trojan's main purpose is to get a foothold on infected computers, gain boot persistence, and then download other malicious software, to facilitate more complex attacks.

Some of the tools Symantec says it observed Odinaff download include the Mimikatz password-dumping application, the PsExec process execution toolkit, the Netscan network scanner, the Ammyy Admin remote desktop utility, and Runas, a tool for running processes as another user.

Odinaff infrastructure connected with previous Carbanak attacks
In some cases, Symantec says Odinaff downloaded the Batel backdoor trojan, a tool deployed in past Carbanak attacks, used mainly by the group.

Besides Batel, Symantec says Odinaff used three C&C server IP addresses connected to previous Carbanak attacks. Furthermore, one IP address was tied to the recent Oracle MICROS security breach, an attack attributed to the Carbanak gang by security researcher Brian Krebs.

Odinaff used in SWIFT attacks
Besides regular financial software deployed at banks and financial firms, Odinaff appears to have targeted the highly sensitive SWIFT inter-banking transaction system, an IT system which banks have to safeguard with high-grade security defensive measures.

"Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions," researchers said. "The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment."

While Odinaff includes this custom C-coded module for hiding illegal SWIFT banking transactions, Symantec doesn't believe Odinaff is responsible for the recent wave of SWIFT attacks.

Those attacks, attributed to the Lazarus Group, were carried using a malware family named Banswift, which doesn't appear to share any code with Odinaff, despite both targeting the SWIFT network.

For once, users can breathe easy, since this malware targets only the bank and its employees, and not its customers.

 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top