Hackers targeted Banks and 100 organisations

Malware attacks that recently put the Polish banking sector on alert were part of a larger campaign that targeted financial organisations from more than 30 countries.

Researchers from Symantec and BAE Systems linked the malware used in the recently discovered Polish attack to similar attacks that have taken place since October in other countries. There are also similarities to tools previously used by a group of attackers known in the security industry as Lazarus.

The hackers compromised websites that were of interest to their ultimate targets, a technique known as watering-hole attacks. They then injected code into the websites that redirected visitors to a custom exploit kit.

The exploit kit contained exploits for known vulnerabilities in Silverlight and Flash Player; the exploits only activated for visitors who had Internet Protocol addresses from specific ranges.

"These IP addresses belong to 104 different organizations located in 31 different countries," researchers from Symantec said in a blog post recently. "The vast majority of these organisations are banks, with a small number of telecoms and Internet firms also on the list."

In the case of the targeted Polish banks, it's suspected that the malicious code was hosted on the website of the Polish Financial Supervision Authority, the government watchdog for the banking sector.

The BAE Systems researchers found evidence that similar code pointing to the custom exploit kit was present on the website of the National Banking and Stock Commission of Mexico in November. This is the Mexican equivalent to the Polish Financial Supervision Authority.

The same code was also found on the website of the Banco de la República Oriental del Uruguay, the largest state-owned bank in that South American country, according to BAE Systems.

Included in the list of targeted IP addresses were those of 19 organisations from Poland, 15 from the US, nine from Mexico, seven from the UK, and six from Chile.

The payload of the exploits was a previously unknown malware downloader that Symantec now calls Downloader.Ratankba. Its purpose is to download another malicious program that can gather information from the compromised system. This second tool has code similarities to malware used in the past by the Lazarus group.

Lazarus has been operating since 2009, and has largely focused on targets from the U.S. and South Korea in the past, the Symantec researchers said. The group is also suspected of being involved in the theft of $81 million from the central bank of Bangladesh last year. In that attack, hackers used malware to manipulate the computers used by the bank to operate money transfers over the SWIFT network.

"The technical/forensic evidence to link the Lazarus group actors ... to the watering-hole activity is unclear," the BAE Systems researchers said in a blog post.

"However, the choice of bank supervisor and state-bank websites would be apt, given their previous targeting of central banks for heists, even when it serves little operational benefit for infiltrating the wider banking sector."

Computerworld

 

« Make The Most Of Data Analytics
The Cusp Of Merging Human With Machine »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Synovum

Synovum

Synovum was formed with the intention to provide high quality advice, consultancy, training and project management services to clients in all sectors of industry.

FIRST Conference

FIRST Conference

Annual conference organised by the Forum of Incident Response and Security Teams (FIRST), a recognized global leader in computer incident response.

Praetorian

Praetorian

Praetorian is an offensive cybersecurity company whose mission is to prevent breaches before they occur.

Unitrends

Unitrends

Unitrends helps IT pros do more with less by providing an all-in-one enterprise backup and continuity solution.

KOS-CERT

KOS-CERT

KOS-CERT is the national Computer Incident Response Team for Kosovo.

TOAE Security

TOAE Security

TOAE Security is a trusted cyber security consulting partner helping today's leading organizations protect their most important assets from evolving cyber threats.

Invensity

Invensity

INVENSITY is an interdisciplinary technology and innovation consulting company. Centres of excellence include Cyber Security and Data Privacy.

Lifespan Technology

Lifespan Technology

Lifespan Technology provides the full range of IT Asset Disposition services. This includes hardware recycling and disposal, data destruction, and hardware resale.

Phosphorus Cybersecurity

Phosphorus Cybersecurity

Phosphorus has fully automated remediation of the two biggest IoT vulnerabilities, out of date firmware and default credentials.

Converge Technology Solutions

Converge Technology Solutions

Converge Technology Solutions Corp. is a North American IT solution provider delivering advanced analytics, cloud, cybersecurity, and managed services solutions.

Microland

Microland

Microland’s delivery of digital is all about making technology do more and intrude less for global enterprises. Our services include Cloud & Data Center, Networks, Cybersecurity and more.

VikingCloud

VikingCloud

VikingCloud (formerly Sysnet Global Solutions) offers organizations an integrated cybersecurity and compliance solution to make informed, predictive, and cost-effective risk mitigation and prevention

Strac

Strac

Eliminate Personal Data Risks from your business. Our Dataless SaaS removes the need to manage sensitive data across web, mobile apps, servers and communication channels.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Tsaaro Academy

Tsaaro Academy

Tsaaro Academy is a unique privacy certification training platform and here you earn a privacy certification CEH, CISM and DPO from India’s No.1 Privacy training platform.

Cyborg Security

Cyborg Security

Cyborg Security is a team of threat hunters, threat intelligence analysts, and security researchers from across North America.