Symantec researchers alarm that the Odinaff Trojan, which first appeared in January this year, is targeting banks and financial institutions worldwide. Moreover, it is being used by cyber-crooks to monitor the networks of compromised organizations and steal their data.
Since its appearance, the Trojan has been attacking organizations not only in the banking sector but also in the securities, trading, and payroll sectors.
Symantec Cybersecurity Team says that Odinaff contains custom-built malware tools, specially created for spying on networks, stealing credentials, and monitoring and recording employees. Whit this features, Odinaff really resembles the Carbanak financial Trojan.
The criminal gang behind the Trojan is using various tactics to break into the targeted networks, but the most popular and used method is fooling the employees into opening malicious macro laced docs. By default, macros are disabled in Microsoft Word but if the user allows enabling as encouraged, the Odinaff Trojan will be installed on their PC.
Another common tactic is the use of password protected .RAR archive files, which, once unzipped, also trick the victim into installing the Trojan. At this point, researchers are not sure how exactly the crooks are spreading this malevolent docs and link but they suppose that spear-phishing is their main method of deployment.
The Odinaff Trojan is very advanced and sophisticated, it can take screenshots of the infected systems between every 5 and 30 seconds. These screenshots are then sent to its remote Command-and-Control (C&C) server. Odinaff is also able to download and executes RC4 ciper keys as well as issue shell commands.
Once Odinaff is installed on the compromised PC, a second piece of malware is installed as well. Dubbed Batel, this additional malware can run payloads solely in the memory, effectively enabling it to stealthily run in the background.
Based on the nature of these attacks, the researchers are right to believe that the crew behind the Trojan is both well-resourced and professional. Moreover, the experts even assume that Odinaff is related to the Carbanak hacking group, which, since it first appeared in 2013, has managed to steal more than one billion from banks. Researchers noted that one of the IP addresses used by Odinaff has been mentioned in connection with the Oracle Micros breach, an attack which saw the compromise of hundreds of Point-of-Sale devices.
Furthermore, three of Odinaff`s C&C IP addresses have been connected to previous Carbanak campaigns, which saw financial institutions in 30 countries being attacked by cybercriminals, who was suspected to originate from Europe, Russia, China, and Ukraine.
Considering that most of the attacks against banks are limited to one region, like Zeus Trojan variant Panda targeting Brazil only, the fact that Odinaff, just like Carbanak, is globally oriented leads to the thought that the two Trojans have a connection.
Odinaff is, indeed, targeting banks all over the globe, but financial institutions in the US are the ones to have experienced most Odinaff hits, followed by the UK, Hong Kong, and Australia.
The criminal gang behind Odinaff is the latest to have realized that even though the strategy of breaking the network of a financial institution is a lot of hard work, it can also be quite the moneymaker. Others have also seen this opportunity, such as the GozNym banking Trojan and the data-stealing Qadars Trojan.