Swift: in second digital bank robbery, attackers knew traces with trojan – update
A second attack on a bank with malware has taken place to make transfers via Swift messages, payment organization Swift reports. In this attack, the attackers covered their tracks by manipulating PDFs via a Trojan.
Swift does not mention the name of the affected bank, but it is clear that it is a commercial bank and not a central bank as in the case of Bangladesh, where $81 million was stolen. According to Swift, aka the Society for Worldwide Interbank Financial Telecommunication, the attackers have “deep knowledge of specific operational management systems.”
During the attack, the perpetrators may have received help from within, from internet attacks or a combination of the two. These terms seem to indicate that the investigation has not yet provided a deep insight into the working methods of the bank robbers. In addition, there are differences in the method between the two attacks. Swift speaks of a highly adaptive campaign, aimed at banks.
One of the differences is that the attackers not only managed to modify Swift software to send messages over the network and instruct large transfers, but also used what Swift calls a ‘trojan PDF’. reader’. The malware allowed the criminals to modify PDF documents that were used to confirm Swift messages sent. In this way they were able to cover their tracks.
Swift previously confirmed that more incidents had taken place, but not that a second bank had actually been affected.
Update 11.20: Swift released a statement of its own. In it, the organization clarifies that the malware targets the application that banks use to read PDFs. Those PDFs are generated to confirm payments. The goal of the malware is to manipulate the local logs of Swift messages on affected customers.
The malware places its own icon on infected machines with a file description that matches that of the legitimate PDF reader. Once PDF files are opened with the fake reader, it modifies the documents in such a way that the fraudulent acts are removed.