Published : 5 years ago, on 16/10/2019

By Anthony Giandomenico, Senior Security Strategist and Researcher, FortiGuard Labs

Every quarter, Fortinet’s Threat Landscape Report highlights threats targeting various industries, including the financial services sector. In Q2 of 2019, threat activity across the internet hit its highest point ever, and those new trends and developments revealed increased cybercriminal intent to exploit the financial industry. Organizations are encouraged to explore this threat intelligence report to stay in the know and better protect their institutions from current as well as future risk.

Threat Actors Employ Evasive Anti-Analysis Techniques

Many of today’s more nefarious malware tools use anti-analysis techniques: features for evading antivirus, sandbox and other threat-detection measures to slip past their target organizations’ defenses. While these techniques are not new, their popularity appears to be growing.

For example, a new variant of the Dridex banking Trojan was discovered in June 2019. This malware was able to successfully evade several traditional antivirus tools by leveraging 64-bit DLLs disguised using the file names of legitimate Windows functions. Each time a victim logged in, the file names and associated hashes were changed, complicating signature-based detection on infected host systems even further.

In addition to evasive Trojans, a number of downloaders with built-in, sophisticated evasion techniques were also spotted last quarter. One example, AndroMut, was used by the Russian-speaking TA505 group in a campaign that targeted employees working at financial organizations in the U.S. and elsewhere. This downloader’s anti-analysis features consisted of sandboxing and emulator verification, checks for mouse movement, and debuggers.

Similarly, two other downloaders – Brushaloader and a new version of JasperLoader – were reported to have employed advanced evasion techniques like location verification, as well as sleep timers for delayed malware execution.

The growing use of anti-analysis and expansive evasion tactics presents a challenge to financial organizations and highlights the need for layered defenses. These defenses must span beyond traditional threat detection and include more than just signature and behavior-based techniques.

Cyber Criminal Organizations Are Also Targeting Online Transactions

Many major events in Q2 highlighted the growing number of attacks focused on trusted third parties.

Magecart, an umbrella term for multiple cybercriminal organizations that have been using card-skimming software to exfiltrate data from ecommerce websites. These groups insert JavaScript skimmers into third-party components that websites rely on for critical business functions, such as content management and payment services. These skimmers then capture payment data from behind the scenes.

In May, more than 185,000 payment cards were stolen from various ecommerce sites using JS/Cryxos.PWS!tr, a lightweight JavaScript skimmer. At the beginning of Q2, this variant showed steady activity, followed by a large spike in June. Most victims of this exploit were in the U.S. However, other pockets of victims were observed in Australia, Britain, France and Italy.

Threat intelligence plays a critical role in helping financial institution stay ahead of the latest threat trends and challenges. Government mandates like GDPR make organizations using third-party services primarily responsible for protecting customer data, and failure to protect critical payment data can result in serious consequences and fines. Threat intelligence plays an essential role in providing critical insights and providing guidance on how and where to implement third-party risk management.

Final Thoughts

Cyber criminals are constantly evolving their attack strategies and techniques to increase their accuracy, evade detection and achieve their malicious goals. Financial institutions must continually leverage threat intelligence, like that provided by Fortinet’s Quarterly Threat Landscape Report – in conjunction with advanced security tools – to identify looming threats and thwart the impact of advancing cyberattacks.