Sophisticated keyloggers target financial services companies
Analysis of malware samples found among finance firms has uncovered an unusually large number of iSpy keylogger samples. iSpy is a variant of the notorious HawkEye logger.
Network-based malware protection specialist Lastline intercepted the logger's communication with the command and control server and detected the active exfiltration of website, email and FTP credentials, as well as license key information for installed products.
The company's analysis also detected sophisticated Emotet and URSNIF keyloggers being delivered via Microsoft Office documents. These two strains of malware share an evasion module for detecting dynamic analysis environments, and use common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. They are modular in nature and criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.
One in 10 of the threats detected used advanced behaviors to avoid static analysis, evade dynamic analysis and remain stealthy. In addition 27 seven percent of files detected had previously not been submitted to VirusTotal for analysis.
"We definitely detected a higher than usual incident of very sophisticated malware," says Andy Norton, Lastline's director of threat intelligence. "This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples."
The full report is available from the Lastline website.