Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.
Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild The sample analyzed by McAfee is 99% similar to the variants detected in 2017.
The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.
Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch.
According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.
Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.
The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.
McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.
The attackers leveraged the Flash exploit to deliver the Bankshot RAT.
“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.
“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “
Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.
When the open it, the code it contains download malicious DLLs from falcancoin.io domain.
Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.
“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.
The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.
Further details, included the Indicators of Compromise (IoCs) are included in the analysis.