The three-month long heist was uncovered last October when it became apparent the bank’s Website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.
Detailing the online assault at the Security Analyst Summit, Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev said that the attackers had extended their operations to nine other institutions worldwide.
The unidentified bank claims five million customers in Brazil, the US, Argentina and Grand Cayman and manages $25 billion in assets from a network of 500 branches.
“Every single visitor got a plugin with the JAR file inside,” Bestuzhev says, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.
The hackers had seized control of the bank’s DNS hosting service, transferring all 36 of the bank’s domains to phony websites that used free HTTPS certs from Let’s Encrypt.
“All domains, including corporate domains, were in control of the bad guy,” Assolini says, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.
Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.
One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.
“The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev says.
The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.
This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.
Bestuzhev and Assolini believe this could be the avenue the attackers used to run the bank’s DNS settings.
“Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev says. “If DNS was under control of the criminals, you’re screwed.”
The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use.
“That’s exactly what happened with this bank,” Assolini says.