Strains of Mutant Malware Increasingly Evading Anti-Virus to Rob Bank Accounts, Says Akouto

August 29, 2017         By: Payment Week

TORONTO, Aug. 29, 2017 /PRNewswire/ — An analysis of recent attacks finds a sharp increase in the use of new strains of malware capable of bypassing traditional anti-virus according to cybersecurity experts from Akouto. The majority of the analyzed attacks aimed to harvest confidential information and steal money through online banking fraud.

The first sign of trouble for a small business owner in Ontario was a phone call from the bank warning of suspicious money transfers that could be an indication of hackers accessing their account. All computers were checked and anti-virus scans assured staff that they were virus-free. To be safe, the company decided to beef-up security using a managed cybersecurity service.

Once new measures were in place, it became clear that things were worse than they appeared. “We received a large number of alerts showing multiple computers communicating with a hacker botnet,” said Bruno Macchiusi, founder of IT Service Provider Alpha Logics. “Virus scans continued to find no infections, but information provided by network monitoring systems allowed us to quickly identify the threat as the Heodo banking Trojan and take infected systems off the client’s network.”

Heodo made its debut on the malware scene in March 2017. It was created primarily to steal sensitive information like passwords and e-banking information that is then used to rob victims’ bank accounts. The infection is triggered when a user clicks on a link or opens a PDF file for a fake invoice that arrives in an email from a known contact. Once a computer is infected, the Trojan searches for more email addresses it can target by sending fake messages that appear to come from the victim. It also scans the network for other computers and infects them by exploiting a weakness in the way computers running the Windows operating system share information with each other.

“The creators of Heodo spliced the code of a Trojan with that of a Worm to create a hybrid capable of stealing information, self-replicating and mutating,” said Dominic Chorafakis, founder of cybersecurity consulting firm Akouto. “Using its Trojan DNA it constantly collects sensitive information that is transmitted back to the hackers. Using its Worm DNA it burrows through networks spreading to other computers, stealing more information and spreading even further.”

Heodo uses technology called a crypter that allows it to hide from anti-virus products. It embeds itself within applications on the infected computer, establishes links back to command-and-control servers to download additional instructions, and makes mutated copies of itself on the infected system.

These types of attacks highlight the need for a comprehensive approach to cybersecurity that goes beyond anti-virus. “Identifying the breach was only half the battle,” said Macchiusi. “Once infected computers were isolated, the challenge was to find all of the mutations on each system before it could be returned to the client’s network. It took products from eight different anti-virus vendors and specialized monitoring to finally identify the specific combination of tools and steps needed to completely eradicate the Trojan.”