A new group is believed to be attacking international financial institutions with a weaponized trojan that may be targeting transfers over the Society for Worldwide Interbank Financial Telecommunication network.

According to new research published by Symantec Corp., the group behind the trojan, called Odinaff, is not believed to be linked to the Lazarus Group, the organization behind successful raids on banks discovered earlier this year.

The research notes that Odinaff is typically deployed in the first stage of an attack to gain a foothold in a targeted network, and then provides the ability to those behind it to install additional tools. Attacks using the trojan are said to require a large amount of hands-on involvement, including the deployment of a range of back doors and purpose-built tools onto computers of specific interest.

Odinaff was found to have a number of similarities to Carbanak, an advanced persistent threat (APT) campaign targeting financial institutions in 2015, in that they include several identical command and control (C&C) address, the use of the Backdoor.Batel, as well as using similar methods.

“While it is possible that Odinaff is part of the wider [Carbanak] organization, the infrastructure crossover is atypical, meaning it could also be a similar or cooperating group,” Symantec noted.

Symantec did note that it had no evidence that SWIFT networks had been compromised, but banks using the system had been targeted.

Symantec has found evidence that the Odinaff group has mounted attacks on SWIFT users, using malware to hide customers’ own records of SWIFT messages relating to fraudulent transactions. The tools used are designed to monitor customers’ local message logs for keywords relating to certain transactions. They will then move these logs out of customers’ local SWIFT software environment. We have no indication that SWIFT network was itself compromised.

“The discovery of Odinaff indicates that banks are at a growing risk of attack,” Symantec said. “Over the past number of years, cybercriminals have begun to display a deep understanding of the internal financial systems used by banks. They have learned that banks employ a diverse range of systems and have invested time in finding out how they work and how employees operate them. When coupled with the high level of technical expertise available to some groups, these groups now pose a significant threat to any organization they target.”

Networks are advised to keep their anti-virus and network tools up to date.

Image credit: Pixabay/Public Domain CC0