Odinaff Trojan behind financial attacks mostly in Turkey

Akbank, one of the largest Turkish banks seems to be the latest victim of the Odinaff trojan, a threat similar to the Carbanak malware.

Odinaff; a malware similar to Carbanak, has been targeting financial institutions around the world since the beginning of the year.

“Since January 2016, discreet campaigns involving malware called Trojan.Odinaff have targeted a number of financial organizations worldwide. These attacks appear to be extremely focused on organizations operating in the banking, securities, trading, and payroll sectors. Organizations who provide support services to these industries are also of interest.” states a blog post published by Symantec. “These additional tools bear the hallmarks of a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.”

Financial organizations from the U.S.A to Australia, from Ukraine to Hong Kong were targeted by the malware.

The bank issued a short statement mentioning the fraudulent SWIFT activities. While very little information has been disclosed, current data at hand and information gathered from internal sources suggest the following scenario.

The initial attack vector is spear-phishing. An employee is targeted with a Microsoft Office Document containing a malicious macro that downloads the Odinaff malware.  As seen in the sample below, the malicious document prompts the user to allow the macros.

Source: Symantec

Attackers gain persistence and start activities in the bank’s network using Windows components such as Powershell and WMI. Earlier Odinaff attacks involved the use of light and known tools such as Psexec, Netscan, Ammyy and lightweight hacking tools such as Mimikatz.

The use of “legitimate” software allows attackers and malware to remain under the radar of antivirus software which usually looks for unknown or new files.

Attackers collected credit card information and executed money transfer via the SWIFT system. Also seen in previous Odinaff attacks the malware is able to hide logs and SWIFT messages related to the fraudulent transactions made by the attackers.

Two other Turkish banks may also have been compromised using the same attack method, however, no official statements were made at the time of this writing.

The vast majority of Odinaff attacks were against financial targets (34%), experts observed a small number of attacks also against organizations in the securities, legal, healthcare, and government.

“Around 60 percent of attacks were against targets whose business sector was unknown, but in many cases these were against computers running financial software applications, meaning the attack was likely financially motivated.” explained Symantec.

For further details, including the Indicators of compromise, give a look at the analysis published by Symantec.

Written by:  Alper Başaran

About the Author: Alper Başaran is a Hacker and Penetration Tester – Buccaneer of the Interwebs, he owns the Turkish blog alperbasaran.com.

Alper Basaran provides business process focused and goal oriented penetration testing services to his customers. Based in Turkey he has expanded his operations to the Middle East.

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – Odinaff malware, banking)