X-Industry

Widespread Lokibot campaign targets Malta, Bank of Valletta (BOV)

Posted by Scott Hall on February 22, 2019 at 2:23pm

Executive Summary

On 13 February 2019, Bank of Valletta (BOV) employees discovered the hackers' intrusion and temporarily shut down all BOV IT systems.[1] Wapack Labs analysis shows a continued heightened risk for BOV - primarily due exposed plain text employees’ passwords, signs of botnet connections from the BOV networks, incoming malicious emails, to inherent industry targeting, and a shared IT infrastructure with a French shipping company.

Summary of Findings:

  • In total, 92 hits for five BOV digital assets found across seven proprietary Wapack Labs collections.
  • Two recent botnet C2 connections were detected from BOV networks: Quant malware in September 2018 and Lokibot malware in October 2018.
  • 12 victims who have their plaintext passwords exposed in various data breaches available in Wapack Labs collection had associated emails on bov.com domain.
  • Additional 31 BOV emails were exposed with the associated password hashes.
  • Four victims who have their plaintext passwords exposed in various data breaches available in Wapack Labs collection had associated BOV IPs.
  • One of the BOV IP ranges (194.204.126.0/24) in addition to BOV domains has a shipping industry domain humtac.fr that itself is heavily targeted by hackers.

Findings

Red Xray overview for BOV threats

Wapack Labs CTAC Red Xray dashboard reports 92 hits for BOV across multiple collections (Figure 1), including botnets, breach data, malicious emails targeting, open source intelligence tracking, Pastebin mentions, and Threat Recon finished intelligence reporting. The records represent hits for bov.com, humtac.fr, 80.85.110.0/24, 194.204.126.0/24, and for keyword search (Figure 2).

September-October 2018 Botnet traffic from the BOV networks

First_seen

2018-09-11T07:01:38

2018-10-26T13:43:30

Indicator

80.85.110.209

194.204.126.9

Country

MT

MT

Indicator Context

botnet_ip

botnet_ip

Attribution

quant

lokibot

C2

http://www.inbuz.ru/q/index.php

http://www.partitnazzjonalista.org/Malta/scss/five/fre.php

 

Two recent botnet hits for the BOV networks indicate likelihood of malware compromise:

  • On 11 September 2018, a traffic to a Quant malware C2 http://www.inbuz.ru/q/index.php was detected from BOV IP 80.85.110.209.
  • In 26 October 2018, another BOV IP 194.204.126.9 connected to a Lokibot malware C2. It is worth mentioning that this Lokibot C2 could have been targeting this region as it was specifically mentioning Malta in the URI and one of the two major Maltese political parties (The Nationalist Party, Maltese: Partit Nazzjonalista) in its domain name (Table 1).

As these botnet C2 connections could have been the event that helped the BOV hackers to set up foothold that lead to the recent financially-motivated cyberattack, it is important to note that Wapack Labs found 13 other financial organizations whose networks were seen having recent connections to the sameLokibot malware (Appendix A).

BOV.com and 194.204.126.0/24 in Breach data[1]

43 BOV emails were found in breach data with the associated password hashes, or in 12 cases, with plaintext passwords (Appendix B).

Similarly, Wapack Labs discovered four breach data victims with the IP 194.204.126.6

Inetnum:         194.204.126.0 - 194.204.126.255

Netname:        BOV

Descr:             Bank of Valletta.

Their plain text passwords leaked to hackers (Figure 3).

[1] Attackers often conduct reconnaissance on users in order to obtain usernames and passwords. Data breaches are a very popular resource for this. A data breach usually consists of data stolen from a database.  Many of these breaches are readily available on the deep web and expose sensitive information including personally identifiable information (PII), and more sensitive data such as usernames and passwords. If a user leverages the same password for multiple accounts or even variations of the same password, then they are at risk of having their account compromised.

 

Shared infrastructure. Shipping company humtac.fr

Passive DNS research showed that one of the BOV IP ranges (194.204.126.0/24) in addition to BOV domains has a shipping industry domain humtac.fr (Appendix C). If the shipping company was also compromised, (transportation and logistics companies have a higher frequency than others) companies, then humtac.fr would be a vector into BOV network. Wapack Labs observed two passwords associated with @humtac.fr emails leaked to the hackers in the past.

Conclusion:

The idea that BOV would experience a funds transfer should come as a surprise. BOV had been targeted and victimized several times prior to the event, with executives quoted as stating they’d been breached with their own account. Hackers appear to have had LokiBot access to BOV since mid-to-late 2018, at a time when Kaspersky and others reported its use in locating corporate credentials,[1] and, several BOV employees appear in credential dumps and breach locations.

 

[1] https://securelist.com/loki-bot-stealing-corporate-passwords/87595/

[1] expansion.mx/empresas/2019/02/13/ci-banco-recibe-ataque-cibernetico

Views: 107
Tags: loki bot, bov, botnet, financial, bank, malta
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!