Tag Archive for: financial

The Brazilian financial malware you can’t see, part one


Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme.

PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this malware attacking banks in Brazil.

A hidden threat

Within IBM Trusteer, we saw several different techniques to hide malware from its victims. Most banking malware conceals its existence on the mobile device by hiding its launcher icon from the victim using the SetComponentEnabeldSetting application programming interface (API). However, since Android 10, that technique no longer works due to new restrictions imposed by Google.

To address this new challenge, PixPirate introduced a new technique to hide its icon that we have never seen financial malware use before. Thanks to this new technique, during PixPirate reconnaissance and attack phases, the victim remains oblivious to the malicious operations that this malware performs in the background.

PixPirate abuses the accessibility service to gain RAT capabilities, monitor the victim’s activities and steal the victim’s online banking credentials, credit card details and login information of all targeted accounts. If two-factor authentication (2FA) is needed to complete the fraudulent transaction, the malware can also access, edit and delete the victim’s SMS messages, including any messages the bank sends.

PixPirate uses modern capabilities and poses a serious threat to its victims. Here is a short list of PixPirate’s main malicious capabilities:

  • Manipulating and controlling other applications
  • Keylogging
  • Collecting a list of apps installed on the device
  • Installing and removing apps from the infected device
  • Locking and unlocking device screen
  • Accessing registered phone accounts
  • Accessing contact list and ongoing calls
  • Pinpointing device location
  • Anti-virtual machine (VM)…

Source…

AllaKore RAT Malware Targeting Mexican Firms with Financial Fraud Tricks


Jan 27, 2024NewsroomMalware / Software Update

AllaKore RAT Malware

Mexican financial institutions are under the radar of a new spear-phishing campaign that delivers a modified version of an open-source remote access trojan called AllaKore RAT.

The BlackBerry Research and Intelligence Team attributed the activity to an unknown Latin American-based financially motivated threat actor. The campaign has been active since at least 2021.

“Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process,” the Canadian company said in an analysis published earlier this week.

“The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud.”

Cybersecurity

The attacks appear to be designed to particularly single out large companies with gross revenues over $100 million. Targeted entities span retail, agriculture, public sector, manufacturing, transportation, commercial services, capital goods, and banking sectors.

The infection chain begins with a ZIP file that’s either distributed via phishing or a drive-by compromise, which contains an MSI installer file that drops a .NET downloader responsible for confirming the Mexican geolocation of the victim and retrieving the altered AllaKore RAT, a Delphi-based RAT first observed in 2015.

“AllaKore RAT, although somewhat basic, has the potent capability to keylog, screen capture, upload/download files, and even take remote control of the victim’s machine,” BlackBerry said.

The new functions added to the malware by the threat actor include support for commands related to banking fraud, targeting Mexican banks and crypto trading platforms, launching a reverse shell, extracting clipboard content, and fetching and executing additional payloads.

The threat actor’s links to Latin America come from the use of Mexico Starlink IPs used in the campaign, as well as the addition of Spanish-language instructions to the modified RAT payload. Furthermore, the lures employed only work for companies that are large enough to report directly to the Mexican Social…

Source…

how financial institutions can prepare to react quickly through regulatory compliance


All over the world, the number of attacks by cybercriminals targeting the financial sector is increasing, and the UK & Ireland is no exception
to this trend. According to Veritas research half of UK organisations said that, over the past two years, they had been the victim
of at least one successful ransomware attack in which hackers were able to infiltrate their systems.   

The increasing profitability of these attacks for the criminals, means a whole new industry – Ransomware-as-a-Service (RaaS) – is growing rapidly.  Professional hackers, exploiting AI-driven target identification, breach execution, victim extortion, and
ransom collection, all offering their malware as a service to the highest bidder.  

The increasing threat this poses to national economies led the EU to pass the Digital Operational Resilience Act (DORA) setting out specific requirements
for financial service providers concerning risk management. DORA legislated specifically on key areas including reporting accuracy of any ICT-related incidents, and management of third party risk.   

This means that when an attack on any financial services provider occurs, the decisions and actions taken in the hour following an attack will be decisive for the level of organisational impact, and the ultimate survival of the business.  

For financial institutions, process predictability is paramount  

IT teams must prepare thoroughly to anticipate an attack by implementing effective operational resiliency practices to secure their data.  Ongoing training for IT and business teams, together with tools for data identification and visibility, are critical
when it comes meeting regulatory requirements.   

As part of the ICT risk management process to comply with DORA regulations, successful completion of a specialised audit to identify all types, locations and classifications of data and storage infrastructure must be carried out. These rules have been developed to
help prevent and mitigate cyber threats and ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.  

Compliance with these processes…

Source…

Fidelity National Financial discloses cyberattack previously linked to ransomware gang


Insurance and settlement service giant Fidelity National Financial Inc. has officially disclosed that they suffered from a “cybersecurity incident” that the infamous ransomware gang ALHPV/BlackCat claimed responsibility for in November.

The disclosure came via a Jan. 9 filing with the U.S. Securities and Exchange Commission, which states that Fidelity National became aware of a cybersecurity incident on Nov. 19 that impacted certain systems. The company then ticked off the standard response list: hiring third-party experts, notifying law enforcement and regulatory authorities and taking measures to block access to affected systems.

The incident is described as causing “varying levels of disruption” before being contained on Nov. 26 and systems restored. An investigation completed on Dec. 19 subsequently found that an unauthorized third party had accessed certain systems, deployed malware and exfiltrated certain data.

Fidelity National added that it has no evidence that any customer-owned system was directly impacted in the incident and no customer has reported that this has occurred. The last confirmed date of unauthorized third-party activity in the company’s network occurred Nov. 20.

Affected customers have been notified and offered credit monitoring, web monitoring and identity theft restoration services. Fidelity is also continuing to coordinate with law enforcement, its customers, regulators, advisers and other stakeholders.

What’s missing from the disclosure is any mention of ransomware. Companies describing attacks at cybersecurity incidents aren’t new, but usually, the notices don’t follow widespread media coverage of them being targeted by a ransomware gang. That ALPHV/BlackCat is behind the attack is also highly believable, as the ransomware gang was one of the most prolific through 2023.

Cybersecurity experts agree with Craig Jones, vice president of security operations at SecOps security company Ontinue Inc., telling SiliconANGLE that per the SEC filing, the attack involved data exfiltration,

“Fidelity National Financial appears to have experienced a ransomware attack attributed to the ALPHV/BlackCat ransomware group,” Jones said….

Source…