Polish banks hit by malware seemingly spread by government website

Customers’ bank accounts appear unaffected.

David Bisson
@DMBisson

Several Polish financial institutions came down with a case of undocumented malware after their employees visited the website of the government’s regulatory authority.

It all started near the beginning of February, when an unnamed Polish bank detected malware on one of its workstations. That financial institution analyzed the malware, established indicators of compromise, and shared those details with other organizations in the industry. At least 20 other Polish banks found their system tested positive for those IoCs.

An investigation into what caused these infections remains ongoing. Even so, preliminary analysis suggests the malware activated when bank employees visited the website of the nation’s financial regulatory body, the Polish Financial Supervision Authority (www.knf.gov.pl). It appears that attackers modified a Javascript .JS file hosted on the authority’s web server. This unauthorized code forced visitors of www.knf.gov.pl to download a file which, in turn, loaded up a remote access trojan (RAT).

Sign up to our newsletter
Security news, advice, and tips.
Polish Financial Supervision Authority website.

The security researchers at BadCyber explain in greater detail:

“After successful exploitation malware was downloaded to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration. At least in some cases the attackers managed to gain control over key servers within bank infrastructure.”

Little is known about the malware other than the fact that the final payload behaves like a regular RAT. Upon initial infection, anti-virus solutions failed to detect the malware. Its use of obfuscation, encryption, and multiple stages further suggests its authors don’t want anyone peering inside their crimeware.

While the KNF and the rest of the nation’s financial industry continues to look into this manner, Polish Bank Association spokesman Przemyslaw Barbrich wants to reassure customers that the malware hasn’t affected their savings. As quoted by Cashless and rendered in English by Google Translate:

“The main thing that customers do not have to fear for their savings. Banking systems operate normally, clients’ money is safe. We co-operate with the police and law enforcement authorities to identify the perpetrators. [sic]”

But that doesn’t mean the attackers didn’t steal information from the banks. Some victim organizations reported encrypted transfers of their data to unfamiliar servers. This could mean further losses are on the horizon.

To prevent similar incidents like these from happening, banks everywhere – especially in Poland – should use the malware’s indicators of compromise to protect themselves and their customers.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.