Malicious tools can cause infected computers to self destruct.
A few months after hackers broke into Bangladesh’s central bank and came close to getting away with $1 billion (~£800M), researchers have uncovered evidence that a separate hacking group is targeting the same payment network.
The researchers, from security firm Symantec, said in a blog post published Tuesday that they recently found new tools that target users of SWIFT, a payment network banks use to transfer payments that are sometimes in the range of hundreds of millions of dollars. The malicious tools monitor SWIFT messages sent to infected computers for International Bank Account Numbers or other keywords relating to specific transactions. When the tools encounter a message that contains a targeted text string, they use a “suppressor” component to move it out of the local file system to prevent it from being seen or recovered by the intended recipient.
“One of the files found along with the suppressor was a small disk wiper, which overwrites the first 512 bytes of the hard drive,” Symantec researchers wrote. “The area contains the Master Boot Record (MBR) which is required for the drive to be accessible without special tools. We believe this tool is used to cover the attackers’ tracks when they abandon the system and/or to thwart investigators.”
Symantec said the tools are linked to the Odinaff group, which since the beginning of the year has targeted financial organizations worldwide. Odinaff is also the name of a lightweight trojan the group uses to gain a persistent hold on targeted computers.
“These Odinaff attacks are an example of another group believed to be involved in this kind of activity, following the Bangladesh central bank heist linked to the Lazarus group,” Tuesday’s blog post explained. “There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus, and the SWIFT-related malware used by the Odinaff group bears no resemblance to Trojan.Banswift, the malware used in the Lazarus-linked attacks.”
The Bangladesh Central Bank and at least three other financial institutions have been hit by the attacks targeting their SWIFT payment system. The breach involving the Bangladesh bank reportedly came close to netting almost $1 billion but ultimately failed because of a typo the hackers made when typing the name of the entity that was supposed to receive the massive sum. As a result, the heist cleared only $81 million.
(Dan Goodin is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications.)