Hackers are leveraging increasingly sophisticated keyloggers to target finance industry

As the financial industry becomes more adept at detecting and blocking security threats, attackers are now leveraging increasingly sophisticated malware to infiltrate targeted systems, researchers have discovered. Lastline researchers have spotted three different strains of keylogger malware that are currently targeting finance firms.

Researchers have detected an unusually large number of iSPY keylogger samples, which is a variant of the well-known HawkEye keylogger.

HawkEye captures and sends users’ key logs and acquired credentials to a server under the keylogger operator’s control. Intercepting the communication with the C2 server, researchers detected the active exfiltration of website, email and FTP credentials, as well as license key information.

Analyzing 30 days worth of threat data targeting the financial sector, researchers also spotted two two other samples - namely Emotet and URSNIF - being delivered via Microsoft Office documents and rich text format files. Over the years, these samples have evolved with additional features such as lateral movement support, additional credential theft and spamming.

These two strains of malware included an evasion module to detect dynamic analysis environments and common methods to infiltrate financial transactions like man-in-the-middle sniffing capabilities and hijacking automated transfer payments. One in ten of the analysed malware were found exhibiting advanced behaviour and 20% of them were found targeting financial sectors.

“We definitely detected a higher than usual incident of very sophisticated malware,” Andy Norton, Lastline Director of Threat Intelligence, said. “This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples.”

The Lastline report comes just days after the Accenture study, done in collaboration with the Ponemon Institute, found that the average number of breaches at financial services companies has more than tripled, from 40 in 2012 to 125 breaches in 2017.

“With companies in the financial sector getting better at blocking ordinary threats, attackers have begun going after them with more sophisticated malware,” researchers noted.

To stay ahead of emergent threats, financial organizations and finance groups at enterprise need to incorporate highly advanced controls to inspect the behavior of objects entering the internal environment rather than relying simply on existing controls and user awareness, Norton noted.

"The finance industry is facing a more sophisticated threat than is encountered by a wider audience," Norton said. "They need to understand that more stringent security doesn’t make the threat go away; it only changes the nature of the threat."