There is a new malware in the town. Unearthed by Symantec, Trojan.Odinaff starting January 2016 has been targeting a number of financial organizations across the globe. A peculiar thing about this malware is that it is selectively targeting organizations that deal in banking, trading, securities and payroll sectors. The malware is also targeting the organizations that provide support and service to these financial firms.
Symantec revealed that Odinaff is deployed in the first stage of an attack so as to gain a ground in the network thereafter providing a persistent presence and the ability to to install and execute additional tools to the target network. The sophistication of the attack and the tools used in Odinaff highly resemble those of a previously known threat actor who has menacingly targeted financial sector at least since 2013 Carbanak. Similarly the Odinaff attacks have also been found to use the same infrastructure that was used in Carbanak APT campaign. The sophisticated and large scale coordinated attacks point to a group of hackers behind it and rule out the possibility of a lone threat actor. Also the tools used in the attacks signify that there has been a lot of investment in their development.
Source : Symantec
The Odinaff attackers intrude into the networks using many methods. The most commonly used method involves using social engineering through emails that contain malicious macro documents. Once the recipient enables macros as directed in the email, the macros starts installing Odinaff Trojan on their system. In another attack method, password protected RAR archives are used to lure the victims into installing the malware. As per Symantec, most probably spear-phishing emails are used in this email. There is another method that has been observed in which trojan is distributed using botnets. In these cases Trojan is installed in the computers that are already infected with malware such as Andromeda and Snifula.
Odinaff upon installation connects to the remote server and checks out for the command every five minutes. It thereupon downloads RC4 encrypted files, executes them and also issues shell commands. Evidence of Odinaff being used against SWIFT users has also been found. Apparently the malware was being used to hide customer’s own records of SWIFT messages relating to fraudulent transactions.