Attackers who pulled off the massive bank fraud at the Bangladesh Bank in February did so by using custom malware and attack tools that were able to monitor the internal messages that conduct financial transactions, delete certain messages, and then insert others to send money to accounts they control, researchers say.
The tools targeted the SWIFT system, a platform that thousands of banks around the world use to exchange information on transactions, and researchers at BAE Systems in the U.K. said the toolkit is highly customizable and could be used in other attacks. The operation that targeted the Bank of Bangladesh in February involved attempted fraudulent transfers of more than $950 million, and $81 million of that is still gone. SWIFT (Society for World Interbank Financial Telecommunications) is a bank-owned consortium, and it provides client software for banks to use, though not all banks use the Alliance Access software.
Alliance Access is the system the attackers targeted in the Bank of Bangladesh operation, and the BAE researchers said they have identified some of the tools the attackers used.
“The custom malware was submitted by a user in Bangladesh, and contains sophisticated functionality for interacting with local SWIFT Alliance Access software running in the victim infrastructure,” an analysis of the tools by Sergei Shevchenko of BAE Systems says.
“This malware appears to be just part of a wider attack toolkit, and would have been used to cover the attackers’ tracks as they sent forged payment instructions to make the transfers. This would have hampered the detection and response to the attack, giving more time for the subsequent money laundering to take place.”
SWIFT released a statement on Monday, saying that the malware used in this attack doesn’t have an effect on SWIFT’s core network.
“We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security,” the statement says.
Once on the bank’s network, the malware registers as a service runs in the Alliance Access environment. The tool has some specific jobs, and Shevchenko said he believes it was written specifically for the attack on the Bank of Bangladesh.
“The main purpose is to inspect SWIFT messages for strings defined in the configuration file. From these messages, the malware can extract fields such as transfer references and SWIFT addresses to interact with the system database. These details are then used to delete specific transactions, or update transaction amounts appearing in balance reporting messages based on the amount of Convertible Currency available in specific accounts,” Shevchenko said.
The malware looks for processes with with a specific DLL loaded in it and then will replace two specific bytes with other instructions, which essentially trick the process into thinking an important check has been done. The targeted DLL is part of the SWIFT Alliance Access software and is responsible for performing a number of tasks related to the Oracle database associated with the SWIFT client. The change gives the attacker the authority to execute database transactions.
With that authority, the malware has the ability to monitor and manipulate balances for various accounts and also can intercept and replace confirmation messages that are generated for transactions. The attackers also went to a lot of trouble to cover their tracks and Shevchenko said the tools they used could be used in other attacks on banks that use the SWIFT Alliance Access client.
“This malware was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again. All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed,” he said.