Tag Archive for: Banking

New Python Variant of Chaes Malware Targets Banking and Logistics Industries

/in


Sep 05, 2023THNCyber Threat / Malware

Chaes Malware

Banking and logistics industries are under the onslaught of a reworked variant of a malware called Chaes.

“It has undergone major overhauls: from being rewritten entirely in Python, which resulted in lower detection rates by traditional defense systems, to a comprehensive redesign and an enhanced communication protocol,” Morphisec said in a new detailed technical write-up shared with The Hacker News.

Chaes, which first emerged in 2020, is known to target e-commerce customers in Latin America, particularly Brazil, to steal sensitive financial information.

A subsequent analysis from Avast in early 2022 found that the threat actors behind the operation, who call themselves Lucifer, had breached more than 800 WordPress websites to deliver Chaes to users of Banco do Brasil, Loja Integrada, Mercado Bitcoin, Mercado Livre, and Mercado Pago.

Further updates were detected in December 2022, when Brazilian cybersecurity company Tempest Security Intelligence uncovered the malware’s use of Windows Management Instrumentation (WMI) in its infection chain to facilitate the collection of system metadata, such as BIOS, processor, disk size, and memory information.

Cybersecurity

The latest iteration of the malware, dubbed Chae$ 4 in reference to debug log messages present in the source code, packs in “significant transformations and enhancements,” including an expanded catalog of services targeted for credential theft as well as clipper functionalities.

Despite the changes in the malware architecture, the overall delivery mechanism has remained the same in attacks that were identified in January 2023.

Chaes Malware

Potential victims landing on one of the compromised websites are greeted by a pop-up message asking them to download an installer for Java Runtime or an antivirus solution, triggering the deployment of a malicious MSI file that, in turn, launches a primary orchestrator module known as ChaesCore.

The component is responsible for establishing a communication channel with the command-and-control (C2) server from where it fetches additional modules that support post-compromise activity and data theft –

  • Init, which gathers extensive information about the system
  • Online, which…

Source…

Cyber criminals shutdown CT credit union’s online banking

/in


A computer system shutdown that Charter Oak Federal Credit Union officials said was triggered by unidentified cyber criminals has left members unable to access their accounts online at the financial institution’s website since Friday afternoon.

Brian Orenstein, the Waterford-based credit union’s president and chief executive officer, said Monday that Charter Oak officials still aren’t certain when online banking capabilities or access to the website will be restored. Orenstein said the credit union’s information technology and security teams were forced to shutdown down access to the website and online banking portal on Friday because of the actions of unidentified “bad actors” trying to access members personal information.

“We detected some unusual activity on the website on Wednesday,” he said. “The IT team and cyber security experts acted immediately to protect member data and assets. In the process of throttling up online security, Charter Oak’s domain was temporarily locked which has resulted in downtime for the main website and online banking.”

Charter Oak has approximately 80,000 members and about half of them do online banking, Orenstein said. Shortly after the website and online banking platform were shut down, he said fake websites purporting to be the legitimate Charter Oak web page began cropping up.

Advertisement

Article continues below this ad

Orenstein said members can still do their banking over the phone or at any one of the credit union’s 15 branches across New London and Windham counties.

“There has been no money or member data lost,” Orenstein said. “Because the system is down, the fraudsters can’t get to the website. We are encouraging members who may have provided any login or password information to contact us so we can create new logins and passwords for them, because once the website is restored, customers will be at risk of having their online accounts accessed by these individuals.”

In an email communication to credit union members, Orenstein emphasized Charter Oak’s commitment to securing members personal information, saying that it “is of the utmost importance to us.”

Advertisement

Article continues below this ad

“Please be sure not to enter your online…

Source…

‘Anatsa’ malware targets banking users in US, UK and Central Europe

/in


A mobile malware campaign targeting banking apps has been observed targeting users in the U.S., the U.K. and Central Europe.

Dubbed “Anatsa” by researchers at ThreatFabric B.V., the banking Trojan is distributed through malicious apps in the Google Play Store and is estimated to have had over 30,000 installations since March. Anatsa has advanced device-takeover capabilities that can circumvent existing fraud control mechanisms.

The malware is said to have been active since 2020 but has shifted focus over the years, with the current campaign targeting banking apps, particularly in Germany. According to the researchers, Anatsa’s target list includes almost 600 financial applications worldwide, with the malware stealing customers’ mobile banking application credentials to initiate fraudulent transactions.

Once installed, Anatsa makes a request to a page hosted on GitHub, where the dropper obtains a URL to download the payload, also hosted on GitHub. The payloads masquerade as an add-on to the original application.

After first detecting the campaign in March, the ThreatFabric researchers reported it to Google and it was removed from the Play Store. However, a month later, those behind Anatsa returned with a new app posing as a PDF viewer, with the malware masquerading as an add-on.

The researchers note that the choice of disguise for these malicious applications observed confirms the trend seen for droppers on Google Play. Droppers tend to impersonate file-management-related applications.

The new app was reported to Google again and removed, but in the ultimate game of Whac-A-Mole, every time the apps were removed, new apps appeared. The researchers note that the speed at which the actors return with a new dropper after the previous one is removed is notable in itself, given that the coding can take anywhere from a few days and several weeks.

“It is crucial for companies to remain vigilant regarding the ever-evolving capabilities of attackers who constantly innovate their methodologies,” Pedro Fortuna, co-founder and chief technology officer of JaveScript protection company Jscrambler S.A., told SiliconANGLE. “Similarly, users must exercise caution when…

Source…

Hackers Targeting Italian Corporate Banking Clients with New Web-Inject Toolkit DrIBAN

/in


May 05, 2023Ravie Lakshmanan

Corporate Banking

Italian corporate banking clients are the target of an ongoing financial fraud campaign that has been leveraging a new web-inject toolkit called drIBAN since at least 2019.

“The main goal of drIBAN fraud operations is to infect Windows workstations inside corporate environments trying to alter legitimate banking transfers performed by the victims by changing the beneficiary and transferring money to an illegitimate bank account,” Cleafy researchers Federico Valentini and Alessandro Strino said.

The bank accounts, per the Italian cybersecurity firm, are either controlled by the threat actors themselves or their affiliates, who are then tasked with laundering the stolen funds.

The use of web injects is a time-tested tactic that makes it possible for malware to inject custom scripts on the client side by means of a man-in-the-browser (MitB) attack and intercept traffic to and from the server.

Cybersecurity

The fraudulent transactions are often realized by means of a technique called Automated Transfer System (ATS) that’s capable of bypassing anti-fraud systems put in place by banks and initiating unauthorized wire transfers from a victim’s own computer.

Over the years, the operators behind drIBAN have gotten more savvy at avoiding detection and developing effective social engineering strategies, in addition to establishing a foothold for long periods in corporate bank networks.

Cleafy said 2021 was the year when the classic “banking trojan” operation evolved into an advanced persistent threat. Furthermore, there are indications that the activity cluster overlaps with a 2018 campaign mounted by an actor tracked by Proofpoint as TA554 targeting users in Canada, Italy, and the U.K.

Corporate Banking

The attack chain begins with a certified email (or PEC email) in an attempt to lull victims into a false sense of security. These phishing emails come bearing an executable file that acts as a downloader for a malware called sLoad (aka Starslord loader).

A PowerShell loader, sLoad is a reconnaissance tool that collects and exfiltrates information from the compromised host, with the purpose of assessing the target and dropping a more significant payload like Ramnit if the target is…

Source…