New ATR Findings: Hidden Cobra Targets Financial Sector Credit: Ahmad Ardity/Pixabay

New ATR Findings: Hidden Cobra Targets Financial Sector

McAfee's Advanced Threat Research (ATR) group has discovered the cybercrime cabal Hidden Cobra continues to target cryptocurrency and financial organisations with the return of the Bankshot malware impact surfacing in the Turkish financial system.

In this new, more-aggressive attack, the Bankshot implant has returned after first appearing in 2017. Bankshot is designed to persist on a victims network for further exploitation, which is why the McAfee Advanced Threat Research team believes this operation is intended to gain access to specific financial organisations.

Based on the analysis, financial organisations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.

Further investigation into the campaign shows that the infection occurred on March 2nd and 3rd. The implant’s first target was a major government-controlled financial organisation. It next appeared in another Turkish government organisation involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similar named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created on the 27th of December in 2017 and was updated on February 19th, just a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victims system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions.

The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.

The implants are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants code.

The campaign has a high chance of success against victims who have an unmatched version of Flash. Documents with the Flash exploit managed to evade static defences and remain undetected as an exploit on VirusTotal.

IDG Insider

PREVIOUS ARTICLE

«Where will Microsoft spend $5B on IoT?

NEXT ARTICLE

This tech university is on 'a mission to Mars'»
author_image
IDG Connect

IDG Connect tackles the tech stories that matter to you

Most Recent Comments

Our Case Studies

IDG Connect delivers full creative solutions to meet all your demand generatlon needs. These cover the full scope of options, from customized content and lead delivery through to fully integrated campaigns.

images

Our Marketing Research

Our in-house analyst and editorial team create a range of insights for the global marketing community. These look at IT buying preferences, the latest soclal media trends and other zeitgeist topics.

images

Poll

Should the government regulate Artificial Intelligence?