McAfee's Advanced Threat Research (ATR) group has discovered the cybercrime cabal Hidden Cobra continues to target cryptocurrency and financial organisations with the return of the Bankshot malware impact surfacing in the Turkish financial system.
Based on the code similarity, the victims business sector, and the presence of control server strings, the attack resembles previous attacks by Hidden Cobra conducted against the global financial network SWIFT.
In this new, more-aggressive attack, the Bankshot implant has returned after first appearing in 2017. Bankshot is designed to persist on a victims network for further exploitation, which is why the McAfee Advanced Threat Research team believes this operation is intended to gain access to specific financial organisations.
Based on the analysis, financial organisations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant.
Further investigation into the campaign shows that the infection occurred on March 2nd and 3rd. The implant’s first target was a major government-controlled financial organisation. It next appeared in another Turkish government organisation involved in finance and trade. A further three large financial institutions in Turkey were victims of this attack. The campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.
Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similar named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created on the 27th of December in 2017 and was updated on February 19th, just a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victims system. This implant also contains functionality to wipe files and content from the targeted system to erase evidence or perform other destructive actions.
The Bankshot implant is attached to a malicious Word document with the filename Agreement.docx. The document appears to be an agreement template for Bitcoin distribution between an unknown individual in Paris and a to-be-determined cryptocurrency exchange. The document contains an embedded Flash script that exploits CVE-2018-4878 and downloads and executes the DLL implant from falcancoin.io.
The implants are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants code.
The campaign has a high chance of success against victims who have an unmatched version of Flash. Documents with the Flash exploit managed to evade static defences and remain undetected as an exploit on VirusTotal.