News
New banking trojan using fake UK gov address - Fujitsu
November 2016 by Bryan Campbell, Senior Security Researcher, Enterprise and Cyber Security in UK & Ireland at Fujitsu
Following the launch of the UK government cyber security strategy this week which addressed domain spoofing, Bryan Campbell, Senior Security Researcher at Fujitsu who has identified a new banking Trojan which used a fake UK Government address to deliver a malicious document, previously unidentified by Antivirus vendors comment.
The payload was an emerging threat known as Trick Bot delivered by a phishing email pretending to be a fax document with the subject line ‘GDS - New Fax Message’.
What is Trickbot?
Trickbot is believed to be the successor to the infamous Banking Trojan Dyre/Dyreza. Capable of stealing sensitive credentials associated with banking sites and in particular the sample examined by Fujitsu had a list of Australian and New Zealand targets, including banking establishments from both countries. The Trojan is downloaded as a result of a spam email and malicious attachment, if executed it will download the Trojan. In 2015 Fujitsu Cyber Threat Intelligence observed and tracked the Dyre Trojan as it attempted to steal credentials from victims. This research was featured by Brian Krebs on the widespread abuse of insecure devices which in light of the recent large scale DDoS attacks using similarly insecure devices, formed a significant part of the Fujitsu Predictions for 2016.
The dangers associated with phishing
The UK Government earlier this week released its Cyber Strategy for 2016 to 2021 via an 84 page manifesto highlighting an important number of security principles and guidelines whilst promoting countermeasures available to protect the UK. Highlighting domain spoofing such as attackers used in this campaign and why spam campaigns and phishing emails continue to be a method of choice by attackers. The BlackEnergy3 incident, which had been sent to the Ukraine Power grid in December 2015 which consequently caused a major power outage, is an example of the damage email can cause as one of the primary attack phases.
Director General for Government and Industry Cyber Security at GCHQ: ‘’There is no conceivable information security system that can stop one person out of a hundred opening a phishing email, and that can be all it takes.’’
Mitigation against this threat
Email continues to be a primary method of attack for cyber criminals. Fujitsu Cyber Threat Intelligence observe a large number of advances in techniques to bypass traditional security countermeasures and we are able to extract intelligence associated with the daily campaigns that deliver ransomware, Trojans and other payloads. Vigilance is fundamental when dealing with email , ensuring that emails containing attachments or links are always treated with suspicion, particularly those from unknown or unexpected senders. Following the security principle of ‘ trust but verify’, when applied to email will reduce risks significantly.
