Attack on Financial Institutions with a New Backdoor

London, UK – August 08, 2017 – There were at least five attacks on Russian-speaking companies between June 23 and July 27, as researchers from Trend Micro reported. The primary targets of these attacks were banks and mining companies. Adversaries used spear phishing: they sent several different emails to each target that contained malicious attachments – renamed RTF documents that exploited the CVE-2017-0199 vulnerability. The ultimate goal of the attacks was to install a new backdoor with a wide range of capabilities, including downloading and launching PE files, hiding tracks and removing the backdoor, downloading and running additional scripts, and executing commands. During the attack, various legitimate Windows components were used to run scripts. That’s why it was hard to detect and stop infection. Researchers believe that adversaries continue to attack financial institutions, and it is necessary to take all measures to protect companies from such attacks.

So, there is a need to install all Microsoft Office updates and set up link whitelisting on the firewalls. If your organization uses SIEM tool HPE ArcSight, IBM QRadar or Splunk, you can download from the S.M.A. cloud use case APT Framework that will warn you of any suspicious activity.