A new type of phishing email attack targeting enterprises using SWIFT financial messaging services, has been discovered this month by Comodo Threat Research Lab.
SWIFT (Society for Worldwide Interbank Financial Telecommunication) messaging services are used by around 11,00 banking, corporate customers and security organizations. Cybercriminals are now using it to target enterprises by sending a phishing email and dropping malware in their inboxes.
The attackers send emails with an attachment and notifies the recipient to open the attachment to get details about the amount that has been transferred to their designated account. However, the attachment contains malware (Trojan.JAVA.AdwindRAT), which enters the user’s system if it is opened.
Once entered into the system, the malware can modify the registry, spawn several processes, and can also try to remove antivirus and anti-adware process. It further drops malicious files to make a connection with the domain in hidden encryption network.
Comodo has warned that this malware can disable Windows restore option and the User Account Control. The malware works as a cyberspy, enabling attackers to spy the system, and access the information about enterprise network and endpoints.
Once the attackers have access to all the network information, they can penetrate additional malware into the system to steal some of the most confidential information of the organizations.
Comodo reasoned that the hackers are using SWIFT systems for camouflaging because of typical human psychology to feel emotional arousal for money, especially where bank account affairs are involved.
“By contrast, any emotional arousal causes critical thinking reduction—and the chances that the target will click on the malicious bait rises significantly. When it comes to an enterprise’s financial accounts, the emotions rise even more. If an employee receives an email, they will be afraid to not open it. What if they pass up something very important for the enterprise? Could they be punished for not looking into that email? Consequently, the chances that a potential victim will click on the infected file grow,” explained researchers from Comodo Threat Research.
The attacks took place from IPs based in The Netherlands, Cyprus and Turnkey on 9th February 2018, using the email address JoeH@snovalleyprocess.com. However, the domain name used in the email doesn’t really exist.