The discovery of malware on computers and servers of several Polish banks has put the country’s financial sector on alert over potential compromises.
Polish media reported last week that the IT security teams at many Polish banks have been busy recently searching their systems for a particular strain of malware after several unnamed banks found it on their computers.
It’s not clear what the malware’s end goal is, but in at least one case it was used to exfiltrate data from a bank’s computer to an external server. The nature of the stolen information could not be immediately determined because it was encrypted, Polish IT news blog Zaufana Trzecia Strona reported Friday.
To make things worse, it’s believed that the likely point of infection was the website of the Polish Financial Supervision Authority, a government watchdog for the banking sector. Independent cybersecurity outfit BadCyber found evidence that the agency’s website has had malicious JavaScript code injected into it since October until a few days ago, when the entire website was taken offline.
After the malware program is downloaded and executed on a computer, it connects to remote servers and can be used to perform network reconnaissance, lateral movement and data exfiltration, the BadCyber researchers said in a blog post.
The malware is similar to other crimeware tools, but has not been documented before. According to BadCyber, it has multiple stages and obfuscation layers and is not detected by most antivirus solutions. The final payload exhibits remote access Trojan (RAT) functionality.
The cybersecurity outfit has shared file hashes and command-and-control IP addresses associated with the threat in their blog post.
The Polish Financial Supervision Authority did not immediately respond to a request for comment and neither did the Polish Computer Emergency Response Team (CERT Polska).
The www.knf.gov.pl website, which is suspected to be the source of the malware infection, currently displays a temporary page informing visitors that access to the website is blocked.
If this scenario is true, it would be a classic watering hole attack, where hackers compromise and host malicious code on websites that are of interest to their intended victims.
There is no indication at this time that funds have been stolen or that customers’ accounts have been put at risk. However, the number of attacks against banks and other financial institutions has increased over the past two years.
There are now cybercriminal groups that specialize in hacking into banks’ computer networks. Some of them wait for months inside the compromised networks before they start stealing money. During this time they carefully observe and gather information about the target’s internal procedures, money moving processes, and key employees.
“We should expect that cybercriminals will find more creative and reliable ways to compromise their victims,” said Ilia Kolochenko, CEO of cybersecurity firm High-Tech Bridge. “Trustworthy websites, such as governmental ones, represent great value for cybercriminals, even if they don’t host any sensitive or confidential data.”