Odinaff Trojan Target SWIFT Bank System

SWIFT system is targeted by cyber criminals this is according to a recent research published by Symantec. The uncovered malware is called Odinaff and circulating in the cyberspace since January 2016.

The malware usually will attack any system including corporate network that have a SWIFT application installed on it. Next it will provide attacker a full control on remote system to install additional application on the targeted network. Symantec is linking Odinaff Trojan with a group of attacker called Carbanak.

There are several methods used to distribute the malware including phishing email that is attached with the Trojan. If victim enable the macro and open the document malware will be executed on the system.  Some of the possible actions by the Trojan is taking screenshot, collect data and information on infected system, and open a shell on infected system to download more tools controlled by cyber criminals.

The compilation of tools going to be installed includes:

  1. Mimikatz, an open source password recovery tool
  2. PsExec, a process execution tool from SysInternals
  3. Netscan, a network scanning tool
  4. Ammyy Admin (Remacc.Ammyy) and Remote Manipulator System variants (Backdoor.Gussdoor)
  5. Runas, a tool for running processes as another user.
  6. PowerShell
Odinaff attacks by region (sourced symantec)

Odinaff attacks by region (sourced symantec)

According to Symantec there are another group believed to be involved in the SWIFT attack These Odinaff attacks are an example of another group believed to be involved in this kind of activity, following the Bangladesh central bank heist linked to the Lazarus group. There are no apparent links between Odinaff’s attacks and the attacks on banks’ SWIFT environments attributed to Lazarus and the SWIFT-related malware used by the Odinaff group bears no resemblance to Trojan.Banswift, the malware used in the Lazarus-linked attacks.”

Share