Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations that provide support services to these industries are also of interest.
Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.
These attacks require a large amount of hands on involvement, with methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.
Although difficult to perform, these kinds of attacks on banks can be highly lucrative. Estimates of total losses to Carbanak-linked attacks range from tens of millions to hundreds of millions of dollars.
Carbanak and Odinaff Linked
The Odinaff attacks share a number of links with Carbanak, which is also known for attacking banks and believed to have stolen hundreds of millions in recent years. Carbanak also specializes in high value attacks against financial institutions and has been implicated in a string of attacks against banks in addition to point of sale (PoS) intrusions.
There are three command and control (C&C) IP addresses which have been connected to previously reported Carbanak campaigns.
One IP address used by Odinaff was mentioned in connection with the Oracle MICROS breach, which was attributed to the Carbanak group.
Backdoor.Batel has been involved in multiple incidents involving Carbanak.
Evidence of SWIFT-related attacks
Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised.
Sectors
Most Odinaff attacks were against financial targets. In attacks where the nature of the victim’s business was known, financial was by far the most frequently hit sector, accounting for 34 percent of attacks. There were a small number of attacks against organizations in the securities, legal, healthcare, government and government services targets; however, it is unclear whether all of these were financially motivated. Around 60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.
Initial point of attack
The Odinaff attackers’ use a variety of methods to break into the networks of targeted organizations. One of the most common methods of attack is through lure documents containing a malicious macro. If the recipient opts to enable macros, the macro will install the Odinaff Trojan on their computer. Another attack involves the use of password protected RAR archives, in order to lure the victims into installing Odinaff on their computers. Although Symantec has not seen how these malicious documents or links are distributed, we believe spear-phishing emails are the most likely method. Trojan.Odinaff has also been seen to be distributed through botnets, where the Trojan is pushed out to computers already infected with other malware, such as Andromeda (Downloader.Dromedan) and Snifula (Trojan.Snifula). In the case of Andromeda, this was bundled as a Trojanized installer for AmmyyAdmin, a legitimate remote administration tool. The Trojanized installer was downloaded from the official website, which has been targeted repeatedly in recent times to spread a number of different malware families.
Banks increasingly in the crosshairs
The discovery of Odinaff indicates that banks are at a growing risk of attack. Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks. They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them. When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.
Attacks involving Odinaff appear to have begun in January 2016. The attacks have hit a wide range of regions, with the US the most frequently targeted. It was followed by Hong Kong, Australia, the UK and Ukraine.