Interbank payment network Swift is warning banks to beware of a new breed of malware that acts to hide fraudulent transactions on local client interface devices and may have been successfully exploited by the unknown hackers who recently stole $81 million from Bangladesh Bank.
Late last week, police investigating the attack in Bangladesh said the central bank was vulnerable to hackers because it did not have a firewall and used second-hand, $10 routers to network computers connected to the Swift payment network.
Researchers at BAE System now claim that after gaining administrative rights at Bangladesh Bank, the hackers installed a piece of malware named evtdiag.exe which shielded the attackers by changing information on transfer requests made via Swift on the client interface used by the bank to track information about transfer requests.
The malware not only buried the fraudulent transactions but also intercepted Swift confirmation codes sent for printing and replaced the bogus transactional data with innocuous doctored copies of the messages.
In a blog post explaining its findings, BAE Systems' Sergei Shevchenko says: "The technical details of the attack have yet to be made public, however we’ve recently identified tools uploaded to online malware repositories that we believe are linked to the heist. The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local Swift Alliance Access software running in the victim infrastructure."
Swift has moved to distance itself from the furore, insisting that the malware has no impact on its core network or messaging services.
In a statement, the Society says: "We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security."
The bank-owned co-operative says it has "developed a facility" to assist customers in enhancing their security and to spot inconsistencies in their local database records.
While the malware appears to have compromised code on a Swift-supplied interface device, Swift maintains that banks' must take all necessary precautions to lock down their own systems.
Says Swift: "The key defence against such attack scenarios remains for users to implement appropriate security measures in their local environments to safeguard their systems - in particular those used to access Swift - against such potential security threats."
BAE Systems' Shevchenko reiterates the warning: "The tools are highly configurable and given the correct access could feasibly be used for similar attacks in the future. All financial institutions who run Swift Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed.