Hackers Target U.S., U.K. And India Finance Employees With Trojans | Hacked: Hacking Finance
user

Hackers Target U.S., U.K. And India Finance Employees With Trojans

Introduction

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.


LATEST POSTS

Bitcoin Giant Bitmain Enters the High Stakes AI Race 27th August, 2017

Three Country Exchange Traded Funds Offer Potential For Investors 27th August, 2017

Breaches

Hackers Target U.S., U.K. And India Finance Employees With Trojans

Posted on .
This article was posted on Wednesday, 20:07, UTC.

Two families of remote-access Trojans (RATs) have infiltrated small companies in the U.S., the U.K. and India since early 2015 and have stolen money, according to Symantec, a Mountain View, Calif.-based technology security company. The attackers are using Trojan.Nancrat and Backdoor.Breut, which are publicly-available., and have stolen money by targeting employees overseeing fund transfers and accounts.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

For most of 2015, most targets were in India. The activity in India and the U.S. has tapered off in the last few months while those in the U.K. have increased.

Source: Symantec symantec logo

Hackers Switch Tactics

The attackers began using Backdoor.Breut in early 2015, and then in August, they switched to Trojan.Nancrat against U.K. targets as they kept using Backdoor.Breut in other regions.

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The attackers send emails from stolen or spoofed accounts. Employees are vulnerable to email -based attacks 18% of the time, based on campaigns from Symantec’s Phishing Readiness solution. This vulnerability is one reason attackers have exploited this particular access point.

Messages Trick Employees

The attackers send most messages in the morning during Eastern Standard Time (EST) or afternoon during Greenwich Mean Time (GMT). The message subjects relate to finance as a way to entice employees who have access to accounts. The subjects include: “payment remittance,” “re: invoice,” “IT payment,” “PO,” “transfer copy,” “remittance advice,” “quotation required,” “payment advise,” “inquiry,” “request for quotation,” and “quotation.”

The emails carry archive file attachments, often with zip extensions. When the victim opens the file, the malware infects the computer. Both Trojan.Nancrat and Breut give attackers full control of the victim’s computer.

Attackers can then access the microphone and webcam, steal files and passwords, log keystrokes and more. They have been able to use the victim’s privileged access to transfer funds to an account that the attacker controls.

Using Backdoor.Breut in the first half of 2015, the hackers used the following domains as command and control: “cleintten101.no-ipo.biz,” “cleintten.duckdns.org,” and “clientten.1.ddns.net.”

Beginning in August, they configured a Backdoor.Breut variant to use the following domain names: “akaros79.no-ip.bz,” “mathew79.no-ip.biz,” and “clienttin1.ddns.net.”
The attackers then used “mathew79.no-ip.biz” and “akaros.no-ip.biz” for Backdoor.Breut variants as they applied the original” clientten1.ddns.net” to Trojan.Nancrat. At this point, they attacked U.K. targets using Trojan.Nancrat as they compromised other regions using Backdoor.Breut.

While the attackers have limited resources, they can use the two types of malware to achieve full access to a computer. They can potentially rob a large amount of money and sensitive information from victims by focusing RAT infections on specific employees.
In December, four attack groups targeted finance departments in Columbia using malicious email attachments to send the W32.Extrat RAT.

Also read: JavaScript -based Ransom32 makes ransomware easier than ever

What You’ll Need To Do

Since the attackers use social engineering methods, users are advised to follow the following preventive measures.
• Don’t open attachments or click on links with suspicious email messages.
• If uncertain about an email, contact the IT department or email to Symantec Security through its portal.
• Don’t provide personal data when responding to an email.
• Keep up to date on security software
• Don’t enter personal data in a pop-up web page.

Featured image from Shutterstock. Chart courtesy of Symantec.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.

There are no comments.

View Comments (0) ...
Navigation
The team:
Dmitriy Lavrov
Analyst
Dmitriy Lavrov is a professional trader, technical analyst and money manager with 10 years of trading experience. He covers Forex, Commodities and Cryptocurrencies. He is among the top 10 most Read More
Jonas Borchgrevink
Founder
Jonas Borchgrevink is the founder of Hacked.com and CryptoCoinsNews.com. He is a serial entrepreneur, trader and investor. He shares his own personal journey on Hacked.com. // -- Discuss and ask Read More
Mate Csar
Analyst
Trader and financial analyst, with 10 years of experience in the field. An expert in technical analysis and risk management, but also an avid practitioner of value investment and passive Read More
Mati Greenspan
Analyst
Senior Market Analyst at Etoro.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Important: Never invest Read More
Rakesh Upadhyay
Analyst
Rakesh Upadhyay is a Technical Analyst and Portfolio Consultant for The Summit Group. He has more than a decade of experience as a private trader. His philosophy is to use Read More
Pamela Meropiali
Account Manager
Pamela Meropiali is responsible for users on Hacked.com. // -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- // Read More
Joseph Young
Journalist
Joseph Young is a finance and tech journalist & analyst based in Hong Kong. He has worked with leading media and news agencies in the technology and finance industries, offering Read More
Movie- and TV shows-streaming platform Popcorn Time is still being…