Several Polish financial institutions came down with a case of undocumented malware after their employees visited the website of the government’s regulatory authority.
It all started near the beginning of February, when an unnamed Polish bank detected malware on one of its workstations. That financial institution analyzed the malware, established indicators of compromise, and shared those details with other organizations in the industry. At least 20 other Polish banks found their system tested positive for those IoCs.
An investigation into what caused these infections remains ongoing. Even so, preliminary analysis suggests the malware activated when bank employees visited the website of the nation’s financial regulatory body, the Polish Financial Supervision Authority (www.knf.gov.pl). It appears that attackers modified a Javascript .JS file hosted on the authority’s web server. This unauthorized code forced visitors of www.knf.gov.pl to download a file which, in turn, loaded up a remote access trojan (RAT).
The security researchers at BadCyber explain in greater detail:
“After successful exploitation malware was downloaded to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration. At least in some cases the attackers managed to gain control over key servers within bank infrastructure.”
Little is known about the malware other than the fact that the final payload behaves like a regular RAT. Upon initial infection, anti-virus solutions failed to detect the malware. Its use of obfuscation, encryption, and multiple stages further suggests its authors don’t want anyone peering inside their crimeware.
While the KNF and the rest of the nation’s financial industry continues to look into this manner, Polish Bank Association spokesman Przemyslaw Barbrich wants to reassure customers that the malware hasn’t affected their savings. As quoted by Cashless and rendered in English by Google Translate:
“The main thing that customers do not have to fear for their savings. Banking systems operate normally, clients’ money is safe. We co-operate with the police and law enforcement authorities to identify the perpetrators. [sic]”
But that doesn’t mean the attackers didn’t steal information from the banks. Some victim organizations reported encrypted transfers of their data to unfamiliar servers. This could mean further losses are on the horizon.
To prevent similar incidents like these from happening, banks everywhere – especially in Poland – should use the malware’s indicators of compromise to protect themselves and their customers.