In February, hackers managed to steal around $81 million from a Bangladeshi bank in one of the largest digital heists in history. On Monday, researchers from BAE Systems published details of what they claim to be a piece of sophisticated, custom-made malware used to cover the hackers' tracks by manipulating logs and forcing printers to produce phony transaction confirmation messages.
"This malware was written bespoke for attacking a specific victim infrastructure, but the general tools, techniques and procedures used in the attack may allow the gang to strike again," security researcher Sergei Shevchenko writes in a blog post. His findings were first reported by Reuters.
The main piece of malware, named evtdiag.exe, targeted Alliance Access, a piece of software which allows banks to connect to the network of the Society for Worldwide Interbank Financial Telecommunication (SWIFT). SWIFT is used for making international financial transactions. According to SWIFT's website, Alliance Access has over 2,000 installations all over the world.
"The tool was custom made for this job, and shows a significant level of knowledge of SWIFT Alliance Access software as well as good malware coding skills," Shevchenko adds.
"This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim"
Once installed, evtdiag.exe inspected SWIFT messages and extracted information needed to interact with the system's database, Shevchenko explains. These details were then used to update transaction amounts and delete records of others, such as outgoing funds stolen by the hackers. This process of monitoring messages looped until 6 AM on February 6, 2016; noteworthy because, Shevchenko says, the fraudlent transfers are believed to have occurred just two days before.
The malware evtdiag.exe also spoofed physical records sent to printers to prevent officials noticing the hackers' activity.
"SWIFT network also generates confirmation messages, and these messages are sent by the software for printing," Shevchenko writes. "If the fraudulent transaction confirmations are printed out, the banking officials can spot an anomaly and then respond appropriately to stop such transactions from happening."
On Monday, SWIFT will release a patch and publish a warning for financial instituions about the issues, Reuters reports.
Questions still remain about how the malware infection happened in the first place, how exactly the hackers siphoned off the funds, and who was behind this massive heist. Looking up the IP address given by BAE of the malware's command and control server leads to Egypt, but that means little in the way of attribution; criminals often use servers in countries that have no bearing on their actual physical location. The funds were transferred to accounts in the Philippines and then diverted to casinos there, Reuters adds.
"This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim," Shevchenko concludes.