One Article Review
| Source |  BAE |
|---|---|
| Identifiant | 352310 |
| Date de publication | 2017-03-06 12:13:34 (vue: 2017-03-06 12:13:34) |
| Titre | Two bytes to $951m |
| Texte | In February 2016 one of the largest cyber heists was committed and subsequently disclosed. An unknown attacker gained access to the Bangladesh Bank's (BB) SWIFT payment system and reportedly instructed an American bank to transfer money from BB's account to accounts in The Philippines. The attackers attempted to steal $951m, of which $81m is still unaccounted for.The technical details of the attack have yet to be made public, however we've recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure. This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers' tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place. The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future.Malware samples SHA1 Compile time Size (bytes) Filename 525a8e3ae4e3df8c9c61f2a49e38541d196e9228 2016-02-05 11:46:20 65,536 evtdiag.exe 76bab478dcc70f979ce62cd306e9ba50ee84e37e 2016-02-04 13:45:39 16,384 |
| Envoyé | Oui |
| Condensat | $81m $951m • reading 1 ; never 85 c0 test eax eax ; always eax ; otherwise eax ; some important check 75 04 jnz failed ; if failed eb 17 jmp exit ; and then exit failed: b8 01 00 00 00 mov eax label below 33 c0 xor eax /al 08:55:19 0x04 0x04 33 c0 xor eax 0x75 0x75 90 nop ; 0x90 103 11:46:20 13:45:39 174the 196 19a: 2016 202 20: 32567;set 384 400 525a8e3ae4e3df8c9c61f2a49e38541d196e9228 536 576 60f: 60m: 6207b92842b28a438330a2bf0ee8dcab7ef0a163 62f: 62m: 64: 6am 6th 70bf16597e375ad691f2c1efa194dbe7f60e4eeb 76bab478dcc70f979ce62cd306e9ba50ee84e37e 848 900 90b: ;delete ;update ability access account accounts achieve activities actor additional address addresses administrator again against all alliance allians allow allows also alternatively american amount amounts analysed anomaly another appdata appearing appears application appropriately apt arbitrary are area asleep attack attacker attackers attacking attacks attempted attempts authorisation available available: backup balance balancesthe bangladesh bank banking based bbhobddh bbhobddha: been behind believe believed belongs below: bespoke block briefly business businesses but byte bytes c&c called can carried case cast ccy challenge changing check checks close closing cmd code coded coding command committed comparison compile component conclusionsthe conditional conducting config configurable configuration confirmation confirmations constantly constructed contain contains contents control converted convertible copies correct corresponds could cover created credit criminals critical crucially currency currency: custom cyber dat data database database/message database; • performing date datmodule datthe days debit debit/credit decrypted decrypts defined delete deleted deleting desc describe details detection device: dhaka directories: directory disclosed display dll doctored domain drive dropped each earlier: echo effectively effort efthis ensure enumerates environment essentially event events evidence evolves evolving evtdiag evtsys example exe executable execute executed exit expect explained exposed extract extracted fact fail failed fails failure fal falls feasibly february federal feed feedback field fields file filename files filter filters fin financial find focus foff fofp following follows for: forcing forged form format: found fraudulent from functionality functions future gained gang general generates get given giving glimpse good gpca grants hampered hampering happening hard has have heading heist heists hence here hide highly host hour how however identified identifiers identify ids ignored implanted; important in: information infrastructure initiated inspect instance instead institutions instructed instruction instructions interact interacting intercepts intrusions it: its itself jnz job journal jrnl jump just keep key key:4e knowledge language largest laserjet laundering learned legitimate lesson level liboradb like like: linesize linked list loaded local located locates log logged logging: loggingwhen logic login logout look looking loop |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.