For years we have witnessed the pace at which technology advances. This progress not only generates business opportunities for multinational companies with soaring revenues; for many entrepreneurs and visionaries, this advance has meant a source of income and a livelihood.
This is the case of the well-known “FinTechs”, "Financial Technologies", which have focused on offering financial services and which therefore concentrate their efforts on surviving after competing with traditional banking. However, large banks do not always see FinTechs as a threat. Some seek to make use of their solutions, incorporating them and providing customers with an added value to traditional banking services, while others have boosted or financed them.
Companies of this type are managing to open the minds of the users who normally carry out financial activity over the internet, dissociating themselves from a conservative banking mentality and directly handling their business activities through a new digital paradigm that's on the rise.
As we know, not all banks offer online solutions that allow us to operate from our smartphones or personal computers, and often those that do offer these types of alternatives do not cover all our needs.
It is not surprising that cybercriminals are beginning to set their sights on FinTech companies. There have already begun to be sightings of the first attacks through malware and phishing websites.
Malware affecting FinTechs
In March of this year, the company Palo Alto Networks first found a malware sample designed to affect FinTech-type financial entities. This sample was a malware already known by the name of 'Cardinal RAT', which in this new version began to take an interest in Israeli FinTech entities dedicated to the development of software solutions for 'forex' and the trading of cryptocurrencies.
Being a RAT (Remote Access Tool), this Trojan employs the usual capabilities of this type of tool:
- Registration of keys pressed (for theft of credentials, in addition to other data typed in by the victim)
- Theft of system information
- Execution of commands
- Browser cookie cleaning
- Download and execution of new modules
- Making screenshots
- Trojan updating and uninstalling
This malware is installed on the victim's system through malicious Excel document macros. These documents are usually distributed through fake emails that claim to be legitimate. Thus, it follows the usual distribution scheme used by other banking Trojans for Windows.
With regard to the malware's technical operation, it does not incorporate major developments in the field of data theft and credentials, as it mainly uses a keylogger to register what keys are pressed.
However, its function to achieve the execution of the final payload in charge of data theft does stand out. The malicious binary downloaded through Excel macros is really a dropper, which is responsible for installing the malicious binary in the system.
During this first phase of installation, the dropper decrypts a DLL that it includes in the camouflaged resources section as if it were an image.
False image in the resources section
This false image is decrypted and the resulting DLL is loaded to start the malware installation process. The installation consists of copying the binary in some path under %APPDATA%. Some of the samples have used:
- %APPDATA%\Local\Microsoft Help\Services\[ALEATORIO].exe
As we can see, the installation always occurs under %APPDATA%, although the subfolder may vary, depending on the sample analyzed. Even so, it seems that it usually chooses subfolders that contain the word 'Microsoft', probably in an attempt to hide in case the user finds the folder, so they do not suspect that it is anything other than a legitimate system folder.
During this installation stage, an LNK file is also created in the user's home folder, as a persistence mechanism for it to run with each system restart. The content is usually something like:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden “%APPDATA%\[INSTALL_PATH]\[BINARY].exe”
This ensures that the Trojan is executed each time the computer is started, using the '-windowsstyle' parameter to avoid creating a window that makes the user suspicious.
Once installed, the next step is to execute the malicious payload in charge of stealing data, and remain ready for orders from the control server. For the execution of the payload, this Trojan implements a technique known as 'Process Hollowing'. This technique is mainly based on the execution of a legitimate system binary in suspended mode, so that the Trojan can replace the legitimate code loaded in memory with the malicious code.
After modifying the legitimate binary code, the malware will make the process in suspended mode start running, which triggers the execution of the malicious code instead of the legitimate code. The malware is able to hide itself this way, since it appears that a legitimate system binary is running.
Code responsible for choosing the legitimate executable and performing 'Process Hollowing'
As we can see in the above image, the binaries of the list of victims are tested one by one to perform 'Process Hollowing'. There should be no obstacles to using either of the first two: 'RegSvcs.exe' and 'RegAsm.exe'. So we will find one of these two binaries running in an infected system.
In the above images with the Trojan code we can also observe that, in addition to its complexity for executing the malicious code and avoiding being detected, it is very obfuscated, with names of functions and classes present. This makes analysis of the sample very difficult.
Finally, after replacing the legitimate code with the malicious code, it initiates the keylogger module and starts communication with the control server to send information about the victim's system, after which it awaits commands to execute.
Several Trojan parameters are included in the resource 'GreyCardinalConfig'. In this one, we can find different parameters that the Trojan will use during its execution, such as the address or domain of the control server, the encryption key used to encrypt the communication, or if certain functionalities (such as the keylogger module or the sandbox detection) should run.
After the discovery and analysis of the 'Cardinal RAT' remote access Trojan, we can see that attackers do not only target banking entities; any other financial entity can also be in their sights.
The attackers seek to obtain maximum benefit from their creations, so it is normal for them to try to find new targets for their attacks. In this case, FinTech entities have been chosen and, to judge by their increasing popularity, it is very likely that new versions of classic and future families of banking Trojans will not only focus on banking entities, but that they will also show their interest in these types of financial institutions.
Although we have focused on malware-related threats, we cannot forget about phishing attacks. Some of these have also been detected affecting different FinTech companies, and are a form of attack more directed at their users.
Looking ahead, we must be attentive and prepared to protect ourselves from threats and attacks that try to steal login credentials and, ultimately, any kind of sensitive information that is available in our FinTech services. The attackers seek economic profit and the FinTechs expand the range of financial institutions that cybercriminals can aspire to assault.