On February 28, the McAfee Advanced Threat Research team discovered a new campaign by APT group Hidden Cobra targeting financial organization in Turkey.
In the new campaign, attackers use the Bankshot implant to target Turkish financial system which was last seen in 2017.
Researchers said that based on the code similarity, the victim’s business sector, and the presence of control server strings, this attack resembles previous attacks by Hidden Cobra APT group conducted against the global financial network SWIFT.
The attackers targeted organizations via spear-phishing emails containing a malicious word document as the attachment.
The document contains an embedded Adobe Flash exploit which takes advantage of CVE-2018-487 vulnerability which allows an attacker to execute arbitrary code which in this case is the Bankshot implant.
The attackers first target was a major government-controlled financial organization which occurred on March 2nd and 3rd. Next, a Turkish government organization involved in finance and trade and a three large financial institution was infected by the malware implant.
“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity. The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system” said in the blog post published by Mcafee
The malware implants are attached to a malicious word document with the filename Agreement.docx which is an agreement template used for bitcoin distribution.
“The implants are downloaded via a Flash le embedded in the malicious document. They are executed when the victim views the document.The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code”.
The Bankshot implant is designed to persist on a victim’s network for further exploitation and is also capable of wiping files and content from victim’s system to erase evidence or perform other malicious activities.
Researchers discovered two more similar document written in Korean which exploits the same vulnerability. This may have been used in the same campaign or on a different target.
They also added implant has so far not seen targeting any other sector or country. There is a chance that attackers may plan a future heist against these targets by using Bankshot to gather information.