Summary
Hackers are using “SWIFT monetary transfer” themed files to lure users into opening them. These files have been identified malicious. Wapack Labs studied a sample group of SWIFT-themed malicious files during a 30 days period in February-March 2019. Nearly half are classified as Lokibot, and 12 percent were detected exploiting CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability." Most of the samples were submitted from either Ukraine, the Czech Republic or the US. In several cases, the malware samples were attached to emails that also used social engineering referencing HSBC bank transfers.
Details
Figure 1. MS Office file “mt103_swift_payment_copy” prompts users to enable malicious macros [1]
A SWIFT-themed sample
Wapack Labs analyzed malicious samples uploaded to Virus Total (VT) during 21 February 2019 – 22 March 2019, that had either “SWIFT Transfer” or “SWIFT payment” string in the filename.[2] A total of 33 submitted files were discovered, 13 for “SWIFT Transfer” and 20 for “SWIFT payment.” In several cases, the malware samples were tracked back to malicious emails that were spoofed to look like from HSBC bank (Figure 2).
Figure 2. Malicious .ace Lokibot attachments in March 2019 email spoofing HSBC bank
The most common file names were “Swift Payment Copy” and “Swift Transfer Copy103_PDF.ace”. The string “SWIFT Transfer (103)” is present in 24 percent of the studied malicious file names (See Appendix A).
Detection Trends
Among the specimens, 48% had detections for Lokibot (Loki) malware. It is possible the real share of Lokibot campaigns may be even larger: some files had low generic detection, and some samples could be a previous stage malware involved in a Lokibot campaign (Table 1).
Table 1. Malware detection among SWIFT-themed samples
Malware Detection | Frequency |
Lokibot | 48 % |
Exploit.CVE-2017-11882 | 12 % |
Fuerboos | 6 % |
Pony | 6 % |
BAT/Donoff/Razy | 3 % |
Exploit.CVE-2018-0802 | 3 % |
Fareit | 3 % |
Heye | 3 % |
Nanobot | 3 % |
Neshta | 3 % |
PWS:Win32/Primarypass | 3 % |
RTF/Downloader | 3 % |
Trojan[Downloader]/MSOffice.Agent | 3 % |
Samples detected by antiviruses, such as Exploit.CVE-2017-11882 (“Microsoft Office Memory Corruption Vulnerability”), were logged as second place. Other detections were in single digits, including other known malware such as Pony, Neshta, Heye, and others (Table 1).
Table 2. Malware extensions among SWIFT-themed samples
Extension | Frequency |
Win32 EXE | 36 % |
Rich Text Format | 18 % |
ACE | 15 % |
ISO image | 6 % |
Outlook | 6 % |
RAR | 6 % |
ZIP | 6 % |
MS Excel Spreadsheet | 3 % |
Office Open XML Spreadsheet | 3 % |
Win32 EXE (36%), Rich Text Format (18%), and ACE (15%) were the top three extensions (Table 2). Lokibot samples accounted for the majority of .exe, .ace, and compressed malicious files.
Several malicious domains and IPs were detected that were used as C2s for these samples and some were used to download next stage malware. Wapack Labs have already sinkholed two domains detected for Lokibot samples, alphastand.win and kbfvzoboss.bid (see the Indicators Table below).
Among the .rtf and .xlsx attachments, CVE-2017-11882 was the most common. Table 3 shows the observed CVEs.
Table 3. Exploits in SWIFT-themed .rtf and .xlsx samples
Vulnerability | Frequency |
CVE-2017-11882 | 83 % |
CVE-2012-0158 | 50 % |
CVE-2017-0199 | 33 % |
CVE-2010-3333 | 17 % |
CVE-2017-1182 | 17 % |
CVE-2017-8570 | 17 % |
CVE-2018-0798 | 17 % |
CVE-2018-0802 | 17 % |
Top three observed vulnerabilities were CVE-2017-11882 "Microsoft Office Memory Corruption Vulnerability" at 83 percent. CVE-2012-0158 “MSCOMCTL.OCX RCE Vulnerability” with 50 percent, and CVE-2017-0199 "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API" at 33 percent. In one case, newer vulnerabilities were observed: CVE-2018-0798 and CVE-2018-0802 (Table 3).
Submission Geolocation
Fifteen (15) percent of the samples were submitted from the US. Different European countries were the most common target with Ukraine (21%), Czech Republic (18%), and France (12%) being in the top 5 (Table 4).
Table 4. Countries of submission of SWIFT-themed malware
Country | Frequency |
UA | 21% |
CZ | 18% |
US | 15% |
ZZ (unknown) | 15% |
FR | 12% |
DE, GB, KR, NG, RU | 6% each |
CH, ES, HR, HU, IN, IT, JP, SG | 3% each |
Conclusion
SWIFT inter-banking payment system remains one of the more popular social engineering themes among malicious emails. Fortunately, user education can go a long way in mitigating these attacks as all require user-interaction for malware installation to be successful. Lokibot is likewise a popular infostealer malware and accounts for a large amount of Wapack Labs sinkhole traffic.
Indicators
Indicator | Type | Kill_Chain_Phase | First_Seen | Last_Seen | Comments | Attribution |
http://kamagra4uk[.]com/gon/okim/oookkkk.exe | URL | Delivery | 03/19/2019 | 03/19/2019 | SWIFT Transfer (103) FT19063QCWFG.doc |
|
kamagra4uk.com | Domain | C2 | 02/14/2019 | 03/24/2019 | Known malicious source |
|
hxxp://23.249.163[.]126/link/E0.exe | URL | Delivery | 03/15/2019 | 03/15/2019 | Downloader for SWIFT-themed malware |
|
23.249.163.126 | IP | C2 | 09/10/2015 | 03/21/2019 | Downloader for SWIFT-themed malware |
|
http://simeonolo[.]tk/raphael/fre.php | URL | C2 | 03/03/2019 | 03/03/2019 |
| Lokibot |
simeonolo.tk | Domain | C2 | 02/25/2019 | 03/24/2019 | SWIFT TRANSFER (103) 001FTLC183520369.exe | Lokibot |
198.23.191.102 | IP | Delivery | 02/21/2019 | 03/27/2019 | Source for CoinStealer and other malware |
|
hxxp://198.23.191[.]102/xml/luc.exe | URL | Delivery | 02/21/2019 | 02/21/2019 | SWIFT Transfer (103) REF 076907062017.doc |
|
http://ophtyeifns[.]cf/raphael/fre.php | URL | C2 | 03/21/2019 | 03/21/2019 | copy of swift payment 18032019.exe | Lokibot |
http://oppws[.]cn/broker/five/fre.php | URL | C2 | 03/22/2019 | 03/22/2019 |
| Lokibot |
oppws.cn | Domain | C2 | 02/21/2019 | 03/27/2019 |
| Lokibot |
http://kbfvzoboss[.]bid/alien/fre.php | URL | C2 | 07/06/2017 | 03/23/2019 | Lokibot C2 sinkholed by Wapack Labs | Lokibot |
kbfvzoboss.bid | Domain | C2 | 03/21/2017 | 03/27/2019 | Lokibot C2 sinkholed by Wapack Labs | Lokibot |
http://shirkeswitch[.]net/cbn/okc/shri%20kc.exe | URL | Delivery | 03/06/2019 | 03/06/2019 | mt103_swift_payment_copy.xlsx | Lokibot |
shirkeswitch.net | Domain | Delivery | 02/28/2019 | 03/25/2019 |
| Trojan.Tasker |
http://alphastand[.]win/alien/fre.php | URL | C2 | 11/21/2017 | 03/14/2019 | Lokibot C2 sinkholed by Wapack Labs | Lokibot |
http://alphastand[.]top/alien/fre.php | URL | C2 | 03/14/2019 | 03/21/2019 | Swift Payment 2018-pdf.exe | Lokibot |
alphastand.top | Domain | C2 | 10/23/2018 | 03/23/2019 |
| Lokibot |
http://alphastand[.]trade/alien/fre.php | URL | C2 | 03/21/2019 | 03/21/2019 | Swift Payment 2018-pdf.exe | Lokibot |
alphastand.trade | Domain | C2 | 02/28/2019 | 03/27/2019 |
| Lokibot |
765a1c515f085fa49ec7cced37fc8a42 | MD5 | Exploitation | 03/19/2019 | 03/19/2019 | SWIFT-themed malware | Lokibot |
4364db8b13c277e5a02a0e6f6ad21650 | MD5 | Exploitation | 03/08/2019 | 03/08/2019 | SWIFT-themed malware | Exploit.CVE-2017-11882 |
aad733295bee1604883c31dfaf8d65d5 | MD5 | Exploitation | 03/08/2019 | 03/08/2019 | SWIFT-themed malware | Lokibot |
bd1a572407c04e1ede2daee667bde7ed | MD5 | Exploitation | 03/07/2019 | 03/07/2019 | SWIFT-themed malware | Lokibot |
6969c449428da00cbcc0590f7faa5a6f | MD5 | Exploitation | 03/05/2019 | 03/05/2019 | SWIFT-themed malware | Exploit.CVE-2017-11882 |
5f0fef9219bea459e8a208ae0dd50a47 | MD5 | Exploitation | 02/27/2019 | 02/27/2019 | SWIFT-themed malware | Heye |
bdc79f5e382c2f1a66aa7e0b54ff8977 | MD5 | Exploitation | 02/26/2019 | 02/26/2019 | SWIFT-themed malware | Lokibot |
b33af2043786b54831d73d7dbf9826fd | MD5 | Exploitation | 02/25/2019 | 02/25/2019 | SWIFT-themed malware | PWS:Win32/Primarypass |
1b9296800f7ba024266fc9a986a2957e | MD5 | Exploitation | 02/25/2019 | 02/25/2019 | SWIFT-themed malware | Trojan[Downloader]/MSOffice.Agent |
00be6d57beddee4d6c5caad825085f9c | MD5 | Exploitation | 02/25/2019 | 02/25/2019 | SWIFT-themed malware | Lokibot |
8fdaf7751d5570699dad8548945f381c | MD5 | Exploitation | 02/25/2019 | 02/25/2019 | SWIFT-themed malware | Lokibot |
cd6661b14d959f09bd1513acf96f314a | MD5 | Exploitation | 02/23/2019 | 02/23/2019 | SWIFT-themed malware | Fareit |
be667d77aa73e1081c7ed23b083115ec | MD5 | Exploitation | 02/21/2019 | 02/21/2019 | SWIFT-themed malware | RTF/Downloader |
f49a534fbbb1f197b6b78eed7732fc25 | MD5 | Exploitation | 03/22/2019 | 03/22/2019 | SWIFT-themed malware | Lokibot |
1cbecea4f738ab2b7b3727e0a73421be | MD5 | Exploitation | 03/21/2019 | 03/21/2019 | SWIFT-themed malware | Pony |
3ad76747bfc9a1bde902fde2bc67aff6 | MD5 | Exploitation | 03/21/2019 | 03/21/2019 | SWIFT-themed malware | Pony |
312179934596ef63942d0e0fd004317d | MD5 | Exploitation | 03/21/2019 | 03/21/2019 | SWIFT-themed malware | Lokibot |
075ffadd5f3b5ebc09e8754fc5655c1e | MD5 | Exploitation | 03/21/2019 | 03/21/2019 | SWIFT-themed malware | Lokibot |
4ab00512245631b8b72ae8c6c0ede7a5 | MD5 | Exploitation | 03/20/2019 | 03/20/2019 | SWIFT-themed malware | Nanobot |
096a65eacac3180a4bd35a9dbf8a119f | MD5 | Exploitation | 03/19/2019 | 03/19/2019 | SWIFT-themed malware | BAT/Donoff/Razy |
8dfe2253473211d94478063ec5ae4318 | MD5 | Exploitation | 03/19/2019 | 03/19/2019 | SWIFT-themed malware | Fuerboos |
d33b98453d4cdb9d558b937ac7098bec | MD5 | Exploitation | 03/18/2019 | 03/18/2019 | SWIFT-themed malware | Exploit.CVE-2017-11882 |
fb1e0e3d3a4301c0286fcd0c6b23d566 | MD5 | Exploitation | 03/12/2019 | 03/12/2019 | SWIFT-themed malware | Lokibot |
35325353f2120196612f59743ebc6a42 | MD5 | Exploitation | 03/11/2019 | 03/11/2019 | SWIFT-themed malware | Lokibot |
590caf9ac91d00be9cb4935ace2e228d | MD5 | Exploitation | 03/11/2019 | 03/11/2019 | SWIFT-themed malware | Lokibot |
df10d53360c6476bd5bf768584814161 | MD5 | Exploitation | 03/11/2019 | 03/11/2019 | SWIFT-themed malware | Lokibot |
4da7e2ae11547e9e0ce4e8b56b75b831 | MD5 | Exploitation | 03/11/2019 | 03/11/2019 | SWIFT-themed malware | Lokibot |
ac1e78785003244871a7fe0d08cf45f4 | MD5 | Exploitation | 03/08/2019 | 03/08/2019 | SWIFT-themed malware | Lokibot |
797f73a9caf1794f767f13e2dccc7178 | MD5 | Exploitation | 03/07/2019 | 03/07/2019 | SWIFT-themed malware | Exploit.CVE-2018-0802 |
720e68135c6186d147cf92e7e445de8f | MD5 | Exploitation | 03/06/2019 | 03/06/2019 | SWIFT-themed malware | Neshta |
52bd6f94f7f4eba350d2530b487800cd | MD5 | Exploitation | 03/06/2019 | 03/06/2019 | SWIFT-themed malware | Exploit.CVE-2017-11882 |
fd76164f55c9862a2f63d2161a5ecb92 | MD5 | Exploitation | 02/25/2019 | 02/25/2019 | SWIFT-themed malware | Fuerboos |
44d8f0672222de5abd740b12341a86aa | MD5 | Exploitation | 02/21/2019 | 02/21/2019 | SWIFT-themed malware | Lokibot |
Prepared by:Yury Polozov
Reviewed by: B. Schenkelberg
Approved by: C. Hall/J. McKee
For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.
Appendix A. SWIFT-themed malware file names
copy of swift payment 18032019.exe copy of swift payment 18032019.iso FW_ Swift Payment Copy - Incorrect Bank Details provided.msg mt103_swift_payment_copy.xlsx PAYMENT SWIFT.exe Swift Payment 2018-pdf.exe SWIFT PAYMENT CONFIRMATION ELECTRONIC DOC0000output35C6C0.rar Swift Payment Copy-pdf.exe Swift Payment Copy.ace Swift Payment Copy.doc SWIFT PAYMENT COPY.exe Swift Payment Copy.exe SWIFT PAYMENT COPY.pdf.7z Swift Payment Slip.exe Swift Payment ZIP.arj Swift Payment-7382992.scr SWIFT PAYMENT.doc SWIFT TRANSFER (/SWIFT TRANSFER (103) 001FTLC183520369.exe SWIFT TRANSFER (103) 001FTLC183520369.iso SWIFT TRANSFER (103) 001FTLC183520369.msg SWIFT Transfer (103) 001FTLC183520369.xls SWIFT Transfer (103) FT19063QCWFG.doc SWIFT Transfer (103) FT19063QCWFG.doc SWIFT Transfer (103) REF 076907062017.doc SWIFT TRANSFER (103)\r 001FTLC183520369.iso Swift Transfer Copy10.pdf.ace Swift Transfer Copy103_PDF.ace Swift Transfer Copy103_PDF.ace Swift Transfer Copy103_PDF.ace Swift Transfer Payment Slip.exe Swift transfer.exe-2019-02-27.20-04-01.txt swift_payment_copy.doc Swift_Payment.exe Swift_Payment.zip |
[1] hybrid-analysis.com/sample/cdcd4b6963f006947de99bf95e224de8ac7ae7d3a36a3f8575fc70fc7c93ff07
[2] The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment.
Comments