Financial department employees vulnerable to remote access Trojans

Mumbai: Since the start of 2015, cyber-criminals have been increasingly spreading two families of remote access Trojans (RATS) across businesses in India, UK, and the US.

Several attackers have been essentially targeting employees working in financial departments in order to steal money from their respective organisations, according to a research conducted by Symantec.

Infection activity in the top three targeted regions throughout 2015. (Source: Symantec)The research pointed out that the attackers operate with only a few sources while relying heavily on social engineering rather than exploits, and the attackers also use two publicly available RATS—Backdoor.Breut and Trojan.Nancrat. Although the tools are measly in number, they are potent enough to give the hackers complete access to any victim’s computer.

The online threats have been rapidly rising and the report suggests that most of the targeted employees were located in India in 2015, while some others were in the UK, and US. Currently, the number of attacks in India and US has dropped significantly in contrast to UK where the malwares are spreading rapidly.

Early in 2015, hackers used Backdoor.Breut to essentially target organisations in India. The UK operations were started post August using Trojan.Nancrat. Interestingly, most attackers are not focused on specific industries or organisations: they simply want to get access to businesses with low network security architecture.

The process

The most common and simple process for the hackers to spread the RATs is by sending emails from ‘spoofed or stolen accounts’, the Symantec research suggested.

“Based on campaigns run by Symantec’s Phishing Readiness solution, it’s clear that, on average, employees are susceptible to email-based attacks 18 per cent of the time, which is one of the reasons why attackers have exploited this access point so much when trying to spreading RATs quickly and effectively,” the research added.

Interestingly, the majority of messages are in the morning during Eastern Standard Time (EST), which suggests that the attackers are most likely based in Europe or the US. Most of the messages are related to finance to lure employees that have access to the targeted organisation’s accounts.

Here are some examples:

• Re:Invoice

• PO

• Remittance Advice

• Payment Advise

• Quotation Required

• Transfer Copy

• TT Payment

• PAYMENT REMITTANCE

• INQUIRY

• Qoutation

• QUOTATION

• Request for Quotation

Most of the emails include archive file attachments, usually with the .zip extensions. The research further indicated that computers are infected with either Backdoor.Breut or Trojan.Nancrat as soon as the targeted users open these file.

Both the threats give hackers complete control of the victim’s computer and are able to access the webcam, microphone, log keystrokes, confidential data, passwords, and much more.

The Symantec research also observed that the perpetrators use the targeted employee’s ‘privileged access’ to transfer money to an account under their control.

After a computer has been compromised, the attacks start examining it to discover news ways for stealing all the money. After extracting money from one account, these hackers quickly move to their next target, suggesting that there are a small number of attackers involved in these campaigns.

Harmful domains

According to the research, in the first half of 2015, the attackers used domain names such as cleintten101.no-ip.biz, cleintten.duckdns.org, and clientten1.ddns.net as command and control (C&C) servers for Backdoor.Breut.

However, in August, the attackers configured another variant of Backdoor.Breut to use the domains such as akaros79.no-ip.biz, mathew79.no-ip.biz, and clientten1.ddns.net as C&C servers.

Few resources, huge impact

While advanced hacking groups may garner a lot of attention in the news, users should not ignore less skilled attackers who have access to a lot of online methods to con any targeted company.

Over the past one year, Symantec has spotted many fraudulent activities with similar tactics that have targeted financial employees. For instance, in December, four attack groups targeted Columbian finance departments with malicious email attachments to deliver the W32.Extrat RAT.

“Given the continued focus on these types of tactics by attackers, businesses around the world should know how to protect their assets against these kinds of operations,” the research added.

The solution

In the wake of more social engineering tactics being used by hackers, users should adhere to the following advices to avoid any kind of future attack.

• Do not open attachments or click on links in suspicious email messages

• Avoid providing any personal information when answering an email

• Never enter personal information in a pop-up web page

• Keep security software up to date

• If you’re uncertain about an email’s legitimacy, contact your internal IT department

• You can also a full protection stack

Symantec also offers a full protection stack including symantec.cloud, email blocking, web gateway security, and endpoint security to prevent such attacks.