A recent report from Blackberry Cybersecurity highlighted the finance sector’s challenges, including the growing availability of commodity malware, ransomware attacks, and the rise of mobile banking malware targeting digital and mobile banking services.
The financial industry is a frequent target of cyber criminals seeking large payouts, destructive impact (including possible government fines, legal fees, threat mitigation costs, and damage to the target’s reputation), and sensitive financial data that can be sold on dark web forums. This data is often purchased by secondary threat actors who weaponize it to achieve other malicious goals.
During this reporting period (March 1 – May 31, 2023, BlackBerry Cybersecurity solutions stopped over 17,000 attacks targeting financial institutions, with close to 15,000 of those attacks against US organizations. The remaining attacks on the financial sector were detected and stopped in countries located in South America and Asia.
During this reporting period, BlackBerry telemetry observed a continuous trend in the use of commodity malware such as RedLine, which can harvest information including saved credentials, credit card information, and (in a more recent version) cryptocurrency. BlackBerry also observed attacks using the backdoor malware SmokeLoader and the open-source framework MimiKatz.
Amadey, a botnet sold on Russian-speaking hacking forums, was detected threatening the financial industry. Amadey sends the targeted victim’s information back to its command and control (C2) while waiting for commands by the attacker. Amadey’s main function is loading malicious payloads onto compromised machines.
Wider threat landscape
The financial industry — particularly banks — experienced numerous attacks this reporting period. Another common threat to financial institutions was the Clop ransomware, a variant of the CryptoMix ransomware family. The group behind this malware also abused a new vulnerability found within the GoAnywhere MFT software, which suffered from a pre-authentication command injection vulnerability tracked as CVE-2023-066916 in the recent banking platform Hatch Bank.
SpyNote continues to evolve. The latest iteration, dubbed SpyNote.C, is the first variant to be delivered by fake apps that masquerade as legitimate apps from prominent financial organizations, as well as other commonly used mobile applications. Following a source code leak in October 2022, samples of SpyNote have increased significantly on the mobile threat landscape.
Recent research indicates that the value of the global mobile banking market is estimated to reach $1.82 billion in 2026, and trends like the rise of neobanks indicate that digital and mobile banking service usage is likely to continue to rise over the next decade. Unfortunately, this growth will likely be accompanied by an increase in mobile banking malware. Several alarming events occurred in the past few months, including a new Android botnet that targeted approximately 450 financial applications. Smartphone-centric malware will likely increase as threat actors attempt to exploit consumers who are heavy users of online banking.