Malware used by cybercriminals to carry out one of the biggest cyberheists in history is thought to have been “part of a wider attack toolkit”, according to a BAE Systems’ security researcher.
In a company blog, Sergei Shevchenko said that the tools used in February’s attack on Bangladesh Bank, which saw criminals walk away with $81 million, “could feasibly be used for similar attacks in the future”.
It is believed that the malware, detected by ESET as a variant of Win32/Agent.XZH, XZI, among others, is thought to be highly complex.
Mr. Shevchenko said that it contained “sophisticated functionality”, which allowed it to engage with “local SWIFT Alliance Access software running in the victim infrastructure”.
This is concerning, as SWIFT, which describes itself as the global provider of secure financial messaging services, is used by banks to transfer billions of dollars a day.
“All financial institutions who run SWIFT Alliance Access and similar systems should be seriously reviewing their security now to make sure they too are not exposed,” the security researcher advised.
“This attacker put significant effort into deleting evidence of their activities, subverting normal business processes to remain undetected and hampering the response from the victim.”
Swift responded to news of this by stating that the malware in question does not impact on its core messaging services, nor its network.
It continued: “We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.”
Had it not been for a spelling mistake, it is thought that the team behind February’s attack could have stolen up to $1 billion from Bangladesh’s central bank.
In his blog, As Mr. Shevchenko explained that while more details about the cyberheist have emerged, many questions remain unanswered.
For example, the culprits have yet to be identified, nor is it understood how they were able to plant the malware.