Threat Report

Thursday October 11, 2018

This week we’re covering three current events. The first two are related to threats targeting the financial sector. The last is a cautionary tale of malware infection at a large restaurant chain.

APT38 is getting SWIFT

In a report published October 3, 2018, FireEye detailed the activities of APT38, a threat actor conducting financially motivated and cyber-espionage related crimes on behalf of the North Korean regime. FireEye identifies APT38 as a North Korean Nation State sponsored group sharing overlapping characteristics with both Lazarus Group and TEMP.Hermit. According to their findings, APT38 executes sophisticated bank heists resulting from extensive planning and maintains long periods of access on a compromised victim’s environment. APT38 was linked to multiple incidents targeting SWIFT systems. APT38’s primary goal is to raise large sums of money for the North Korean regime; however, FireEye states that they also target infrastructure to facilitate continuous operations and evade detection.

APT38 primarily targets financial institutions such as banks, credit unions, and financial transaction and exchange companies. Other targeted organizations include media companies and government entities. Known victims reside in the following countries: the United States, Mexico, Brazil, Chile, Uruguay, Poland, Turkey, Russia, Bangladesh, Malaysia, Vietnam, and the Philippines. In Annex B of the report, FireEye details an extensive list of malware used by APT38, including established, well-known tools (NestEgg, DarkComet) to lesser-known tools (DyePack, BLINDTOAD). FireEye believes APT38 is a well-resourced and persistent threat likely to continue its illicit financial-crime activities.

Resources:

Fireeye

Betabot continues to evolve its toolset for breaking the bank

Security researchers from Cybereason have detected a new campaign involving the Betabot (Neurevt) Trojan. Betabot first appeared in 2012 as an info-stealer and evolved as a banking trojan packing with destructive features. This updated version has functions like browser form grabbing, File Transfer Protocol (FTP) and mail client stealer, banker module, running distributed denial of service (DDoS) attacks, USB infection module, Robust Userland Rootkit (x86/x64), Arbitrary command execution via shell, and crypto-currency miner module. Betabot can also drop other malware and gain persistence via Windows Task Scheduler and Registry Autorun. Researchers note that the Betabot was designed to operate in “paranoid mode.” It includes self-defense mechanisms such as anti-debugging, anti-virtual machine/sandbox, anti-disassembly, and detect at least 30 security products and analysis tools and try to disable/remove them.

The malware is carried out using phishing attack with social engineering tactics. The email persuades the user to open an attached weaponized Microsoft Word document as the Betabot malware exploits CVE-2017-11882, an 18-year old vulnerability in the Equation Editor tool in Microsoft Office. The vulnerability was discovered in 2017 and patched by Microsoft. It communicates with its C&C Server after checking internet connection by sending requests to Google.com and Microsoft Update Sites. Researchers note that to prevent Betabot infections, users should keep their software up to date, install Microsoft Security patches, and avoid opening attachments from unknown senders.

Resources:

Cybereason

Microsoft

Malware gets year-long all you can eat burger time pass

Restaurant chain Burgerville has recently revealed a security breach that has started over a year ago. Based on the online report, the Federal Bureau of Investigation (FBI) contacted Burgerville last August 2018 about a security incident involving FIN7 which was thought to be “brief intrusion” that no longer existed. By September 19, FBI informed Burgerville that the attack is still active, and was much more severe than expected. Burgerville took steps for remediation, and in cooperation with the FBI and an outside cybersecurity firm, they launched a full forensic investigation. Based on the investigation, the malware was installed on Burgerville systems such as Point of Sales (PoS) machines to steal customer data. Customer’s credit and debit card information such as names, card number, expiration dates, and CVV numbers may have been compromised. The number of affected customers is currently unknown, as the tactics of FIN7 were said to be sophisticated and adept at concealing their digital footprints.

Burgerville explained that they didn’t announce the breach sooner to maintain the confidentiality of the breach during the investigation with the FBI. The remediation plan, which was completed by September 30, has to be kept secret. As part of their remediation plan, Burgerville has also upgraded their systems to counter this kind of attack. The company has asked their customers who have visited their restaurants and used their cards between September 2017 to September 2018 to monitor their financial statements for fraudulent activities.

The longer a threat goes undetected the more expensive it is to remediate. Security programs can be expensive if you go it alone. If Burgerville had a team of security analysts monitoring and didn’t rely on FBI notification, they would have caught the initial and continued infection.

Resources:

Burgerville

Paul Scott

Paul Scott
SOC Nightwatchman
LinkedIn