Skip links

Banks face their ‘darkest hour’ as malware steps up, maker of antivirus says

Interview Crimeware targeting banks and other financial-services organizations today features sophisticated capabilities and evasion tools, according to Kaspersky’s lead security researcher Sergey Lozhkin.

“The darkest hour is now for the financial industry, especially for big and medium-sized corporations,” Lozhkin said, during a panel discussion on threats to financial services organizations. 

BlackLotus, a Unified Extensible Firmware Interface (UEFI) firmware rootkit used to backdoor Windows machines, is one such newly discovered tool. Kaspersky hasn’t yet published full research about the malicious implant, but Lozhkin said it appeared for sale with a $5,000 price tag on the cybercrime scene earlier this month.

This malicious code allows miscreants to bypass computers’ secure boot feature, which is supposed to prevent the machine from running unauthorized software. Instead, by targeting the UEFI, the BlackLotus malware loads before anything else in the booting process including the operating system and any security tools that could stop it.

“So basically, if a bad guy gets access to a network or a computer, he can install this tool, and it will be fully undetected, fully persistent, on the UEFI level,” Lozhkin said. 

If a bad guy gets access to a network or a computer, he can install this tool, and it will be fully undetected, fully persistent, on the UEFI level

BlackLotus and other sophisticated malware are usually, but not exclusively, wielded by government-level teams, who have deep pockets and highly skilled developers on the payroll. Criminals can also get their hands on the tools.

“These threats and technologies before were only accessible by guys who were developing advanced persistent threats, mostly governments,” Lozhkin claimed. “Now these kinds of tools are in the hands of criminals all over the forums.”

As soon as he saw BlackLotus on one such forum, “I wanted it immediately because I need to reverse engineer it and warn our customers immediately,” Lozhkin added.

How to catch a crook

Lozhkin spends his days monitoring criminal underground forums and reverse engineering malware shared via these nefarious channels, and he previously was VP of cybersecurity operations for JP Morgan Chase. 

While he won’t name the cybercrime gangs he sees lurking around in the shadows because of ongoing investigative purposes, these financially-motivated cybercriminals have become really good at repurposing government-created cyberespionage tools to pull off massive bank heists — like the EUR$1 billion robbery that infiltrated more than 100 financial institutions in 40 countries. 

Lozhkin was one of the private security researchers who participated in the takedown, led by the Spanish National Police with the support of Europol, the US FBI, and the Romanian, Moldovan, Belarussian and Taiwanese authorities.

“Modern crimeware is really sophisticated, and the guys coding these tools are really, really smart,” Lozhkin said. “And sometimes they don’t even need to code anything. Why write your own code when you can just as easily buy it online?”

Red-team tools gone bad

As a case in point: ransomware gangs and Cobalt Strike. This is a legitimate penetration testing tool that has since become a favorite method for cybercriminals to move laterally through victims’ networks, establish persistence, and download and execute malicious payloads. 

“And then we have Brute Ratel,” Lozhkin said. 

This, of course, is the post-exploitation toolkit developed by a former Mandiant red teamer. The nearly undetectable malware, which can evade antivirus and endpoint detection and response software, was selling for $3,000 before a cracked version was leaked for free on underground forums.

“I’ve seen a huge increase in the last year using legal tools to attack financial institutions,” Lozhkin said. “Cobalt Strike is everywhere. Brute Ratel is everywhere.”

This illustrates the “biggest problem” with these types of software tools that emulate adversaries in an IT environment and are designed to remain undetected, he added. 

“When you are creating a weapon — and I consider this a cyberweapon, a really dangerous tool that could be used to infiltrate every organization, every company — cybercriminals immediately get this tool and use it against organizations,” Lozhkin said.

Meanwhile, ransomware economy booms

Plus, all of these malicious tools for sale also contribute to the booming initial access broker economy. These are the criminals who sell or provide a route into an organization for a fee or cut of the profits. This access is then used by extortionists to siphon sensitive data, encrypt files using ransomware, and demand payment to keep quiet about the intrusion and clean up the mess.

“These guys are everywhere: they hack into an organization and sell access,” Lozhkin said, adding that the price tag for initial access to high-revenue corporations that criminals believe will pay ransom demands can run upwards of $50,000.

“The final customers of this data are ransomware groups,” he noted. Ransomware gangs have their own forums, and they, too, are becoming better at the trade, using modern programming languages to write code, nonstandard cryptography to lockup organizations’ files, and even professional business operations models. 

Ransomware developers are becoming more professional, too, and recent market downturns and big tech layoffs aren’t helping, according to Lozhkin. “Lots of people are coming to the darkside because the darkside is hiring.”

Somehow, though he remains optimistic. “The darkest hour is just before the dawn. There is a light. There is always a light,” Lozhkin said. 

Following weeks of ransomware attacks against schools and hospitals, and publicity stunts aimed at US airports, it’s hard to share in that optimism. But here’s hoping he’s right. ®