Hackers used custom “SWIFT” malware for attack on the Bangladeshi Central Bank

According to researchers, the used malware hijacks the SWIFT software, changing its confirmation notifications and deleting transaction records.

The aforementioned custom malware actually attacks the SWIFT client software- among the most widely used types of transaction software, preferred by a number of financial institutions. Using it, the hackers have already stolen $81 million from Bangladeshi’s Central Bank. The cyber-criminals made an attempt to send over $950 million to their own accounts at the Federal Reserve Bank in New York. However, a big number of the transfers were stopped. The only transfers that they managed to complete were to several accounts in banks in the Philippines with the total of $81 million- an amount of money still missing.

Some malware components have recently been identified by the BAE Systems’ researchers. They are believed to represent essential parts of the custom attack malware kit. The Society for Worldwide Interbank Financial Telecommunication, with the abbreviation SWIFT, is based in Brussels and operates the world’s biggest secure financial messaging network. SWIFT is owned by a great number of financial institutions around the world.

And how exactly does this custom-developed SWIFT malware toolkit function?

It was revealed by the researches of BAE on Monday that one of the kit’s parts is capable of bypassing the library validation check, which is a component of the SWIFT’s Alliance Software Suite. The same library is used for keeping transaction records in the Oracle Database. After that the malware program is able to keep track of the SWIFT Financial Application messages and to detect certain strings, which are defined in an encrypted configuration file. When the malware finds such a string, it looks for the matching database entry and deletes it. The custom-developed virus kit is also able to check for login and logout events in the application and once such are found, it sends notifications to a command-and-control server. Last but not least, the virus program is able to manipulate the messages SWIFT sends. However, every SWIFT message leaves an automatic imprint, which is impossible to delete, and this is mainly how the fraudulent activity was spotted in the first place. 

A lot of facts are still unknown when it comes to the attack on the Bangladeshi Bank. Yet, it could be claimed that this particular attack on a financial institution should serve as a warning to the customers themselves but also to the other financial institutions. It is best if they all agree to look for any potential sources of problems within their systems. SWIFT promises to seriously review their security policy and fix any possible security weakness that can lead to such criminal activities. Nonetheless, the core defense against such attacks is to maintain our personal systems and networks “healthy”-all customers and institutions are advised to make sure that their local environments are not exposed to underlying threats. The use of reliable switches with good capabilities and proper segmentation between certain bank’s systems is especially commented on right now because the bad quality of the Bangladeshi Central Bank segmentation and switches appears to be one of the major reasons that led to the recent theft.