TWO BYTES TO $951M
Contents
The technical details of the attack have yet to be made public, however we’ve recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure.
This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.
The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future.
Malware samples
|SHA1||Compile time||Size (bytes)||Filename|
|525a8e3ae4e3df8c9c61f2a49e38541d196e9228||2016-02-05 11:46:20||65,536||evtdiag.exe|
|76bab478dcc70f979ce62cd306e9ba50ee84e37e||2016-02-04 13:45:39||16,384||evtsys.exe|
|70bf16597e375ad691f2c1efa194dbe7f60e4eeb||2016-02-05 08:55:19||24,576||nroff_b.exe|
|6207b92842b28a438330a2bf0ee8dcab7ef0a163||N/A||33,848||gpca.dat|
We believe all files were created by the same actor(s), but the main focus of the …
This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.
The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future.
Malware samples
|SHA1||Compile time||Size (bytes)||Filename|
|525a8e3ae4e3df8c9c61f2a49e38541d196e9228||2016-02-05 11:46:20||65,536||evtdiag.exe|
|76bab478dcc70f979ce62cd306e9ba50ee84e37e||2016-02-04 13:45:39||16,384||evtsys.exe|
|70bf16597e375ad691f2c1efa194dbe7f60e4eeb||2016-02-05 08:55:19||24,576||nroff_b.exe|
|6207b92842b28a438330a2bf0ee8dcab7ef0a163||N/A||33,848||gpca.dat|
We believe all files were created by the same actor(s), but the main focus of the …
IoC
196.202.103.174
525a8e3ae4e3df8c9c61f2a49e38541d196e9228
6207b92842b28a438330a2bf0ee8dcab7ef0a163
70bf16597e375ad691f2c1efa194dbe7f60e4eeb
76bab478dcc70f979ce62cd306e9ba50ee84e37e
525a8e3ae4e3df8c9c61f2a49e38541d196e9228
6207b92842b28a438330a2bf0ee8dcab7ef0a163
70bf16597e375ad691f2c1efa194dbe7f60e4eeb
76bab478dcc70f979ce62cd306e9ba50ee84e37e