October 11, 2016
Symantec has discovered evidence that a new trojan that’s predominantly targeting the banking sector has ties with Carbanak, a cybercrime gang responsible for stealing more than $1 billion from 100 banks across 30 countries in 2013 and 2014.
Identified for the first time in January 2016, this new trojan, named Odinaff, has been discovered on compromised networks of various companies activating mainly in the banking sector, but also the securities, trading, and payroll verticals.
While Symantec says it found the trojan on computers in companies activating in various industries, almost all computers ran financial software applications, showing the group’s penchant for financially-motivated attacks.
Odinaff spread via malicious docs
Symantec says the crooks use spear-phishing emails, targeting selected individuals with carefully crafted emails that contain malicious Word documents.
These booby-trapped documents help the crooks install the Odinaff malware, which according to researchers, is a relatively simple tool.
Researchers say the trojan’s main purpose is to get a foothold on infected computers, gain boot persistence, and then download other malicious software, to facilitate more complex attacks.
Some of the tools Symantec says it observed Odinaff download include the Mimikatz password-dumping application, the PsExec process execution toolkit, the Netscan network scanner, the Ammyy Admin remote desktop utility, and Runas, a tool for running processes as another user.
Odinaff infrastructure connected with previous Carbanak attacks
In some cases, Symantec says Odinaff downloaded the Batel backdoor trojan, a tool deployed in past Carbanak attacks, used mainly by the group.
Besides Batel, Symantec says Odinaff used three C&C server IP addresses connected to previous Carbanak attacks. Furthermore, one IP address was tied to the recent Oracle MICROS security breach, an attack attributed to the Carbanak gang by security researcher Brian Krebs.