On Tuesday (April 4), Kaspersky Lab described how a group of hackers compromised a Brazilian bank’s operations top-to-bottom.
The attack lasted for approximately three months last year and hit each of the bank’s 36 domains, corporate email and DNS, rendering all under the control of the attackers, a company blog post noted.
Two Kaspersky Lab researchers, Fabio Assolini and Dmitry Bestuzhev, presented their findings at the Security Analyst Summit. The security experts revealed that as they continued to look into the case, they discovered that the hackers had also extended operations globally to nine other institutions.
The attack was first uncovered when the Brazilian bank’s website was serving malware to each of its visitors back in October.
“Every single visitor got a plugin with the JAR file inside,” Bestuzhev said. He explained that with control of the site’s index file, the attackers were able to reroute site visitors to reconstructed fakes of the bank’s properties where the malware was dropped.
“We were wondering: Had the bad guys owned the whole bank? How is this possible?” Bestuzhev added.
Upon pulling apart the malware used in the attack, the researchers observed that there were eight modules present, including “configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird and the local address book and internet banking control and decryption modules,” the blog post stated.
The modules discovered were reportedly communicating with a command and control server in Canada.
Through one of the modules, called Avenger, the hackers modified the malicious code to perpetrate attacks on the nine other banks worldwide.
“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev explained.
The impacted bank’s domains were also loaded with phishing pages aimed at tricking online customers into entering their payment card information.