Symantec: SWIFT Malware Evident in Other Bank Attacks
Security firm Symantec has claimed that the malware used in the $81 million cyberheist from Bangladesh Central Bank’s Federal Reserve account has been linked to another cyberattack – a Philippines-based bank.
In a blog post today, Symantec said it found evidence that a bank in the Philippines was also the target of the group that instigated the infamous $81 million cyberheist from Bangladesh central bank.
Notably, the security firm stated that the malware used in the Bangladesh bank heist was also used in a series of targeted attacks against an unnamed bank in the Philippines. Furthermore, the same group had, according to Symantec, tried to steal over $1 million from Vietnam bank Tien Phong Bank.
The attacks can be traced back as far as October 2015, with the malware used bearing similarities to those wielded by a cyberthreat group known as Lazarus.
Lazarus is perhaps most infamously known for being linked to the Trojan that is suspected to have infiltrated and wrecked havoc due to the cyber attack against Sony Pictures Entertainment. Such was the impact of the breach that it added to the strained diplomatic relationship between North Korea and the United States, with the FBI claiming that the latter was involved in the hack.
The White House even said, through a spokesman, that the North Korean government should compensate Sony for the damages caused by the attack.
In the course of its investigation, Symantec identified three strains of malware used in ‘limited’ targeted attacks against South-East Asian financial companies. The firm drew a link between one of the three strains, Backdoor.Contopee, with the malware used in the Bangladesh attack – Trojan.Banswift.
Samples of the Trojan.Banswift malware strain were analyzed and a file-erasing code was discovered. The distinctive code bore resemblance with other malware families, Symantec deduced.
In its blog, it stated:
Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group.