Taiwan Bank Heist and the Role of Pseudo Ransomware

Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States. Recent reports from Sri Lanka say that two individuals have been arrested for suspected money laundering after a tip-off from the Bank of Ceylon, which reported a suspicious transfer of $1.2 million from the Far Eastern International Bank.

On Saturday October 7, Far Eastern International Bank reported that it had recovered most of the money and that overall losses could reach $500,000.

How did the attack happen?

Based on the initial intelligence we have received, the first direct interaction with the victim began with spear phishing attacks that contained “backdoor” attachments.

Figures 1 and 2 provide some examples of the attachments.

Figure 1: Spear phishing attachment.

Figure 2: Spear phishing attachment.

When the victim clicks on the link, they are redirected to a malicious site that downloads additional files to the victim’s computer. One example of these malicious sites is hxxps://jobsbankbd.com/maliciousfilename.exe.

This site hosts another backdoor that gives the criminals access to the victim’s system in the bank.

Once the criminals gain access to the systems, our initial analysis reveals that the attackers harvested credentials. This was confirmed by evidence we found in a sample that contained the following credentials from the bank:

  • FEIB\SPUSER14
  • FEIB\scomadmin

These credentials are used to create a scheduled task on the system and monitor the running of endpoint security services. (This does not indicate a problem with the security software, only that the attackers did their research and took measures to take out the security software being run within the bank.) We have notified the security provider, and have provided all of our research to date.

Besides the scheduled task and credentials, we discovered another interesting piece of code. Inside the sample was the resource “IMAGE,” which seemed to be a zip file. Once extracted, we found the file aa.txt. Although this appeared to be a text file, it was really an executable.

The file contains code that scans for the installed languages, especially:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

If these languages are detected, the file will not run. We have seen this behavior before in ransomware families.

When analyzing the strings of this particular file, we discovered some interesting ones:

  • HERMES 2.1 TEST BUILD, press ok
  • HERMES

When executed, the file proved to be ransomware. However, no note or wallpaper indicated that this was ransomware. After the file finished running, only one thing appeared on the desktop:

Figure 3: The final screen of this pseudo ransomware.

And in every directory a file:

The original Hermes ransomware note points toward this file; but in our case, we saw no note, nor demand for ransom. The Hermes ransomware family surfaced in February:

We suspect that this is another example of pseudo ransomware. Was the ransomware used to distract the real purpose of this attack? We strongly believe so.

Based on our sources, the ransomware attack started in the network when the unauthorized payments were being sent.

Where next?

Clearly this was a very carefully crafted attack, and specifically targeted at one bank. The attackers identified specific individuals to email, and understood the security measures being deployed. Although the samples we identified are now covered by our security products, we urge caution in anyone assuming that “I am protected.” The criminals took their time to understand how the bank works and developed the necessary code to enable them to steal millions. An effective security posture must anticipate such highly skilled attackers.

Because this is related an active law enforcement investigation, we are limiting what information we publicly share and will publish further updates only if that does not conflict with a current investigation.

Leave a Comment

20 − 15 =