A new banking Trojan has been spotted targeting financial institutions on a global level. Dubbed Ordinaff, the banker is deployed in campaigns on networks of compromised organizations. Security researchers report that the Trojan has been active since January 2016, and has performed attacks against organizations in various sectors such as banking, security, trading, and payroll. In addition, attacks have been detected on the services that provide support to the just mentioned industries.
A Look into Ordinaff Banking Trojan
Symantec reports that the has custom-built malware tools which are used for exploring the compromised network, steal credentials, and observe and record employee activities. Researchers suspect that Ordinaff has a lot in common with another well-known banker, Carbanak.
The connection to the Carbanak is supported by the discovery that three Ordinaff C&C IP addresses link directly to previous Carbanak attacks that targeted banks in more than 30 countries.
How is an Ordinaff Attack Initiated?
Not surprisingly, the attack typically starts with the opening of documents containing malicious macros. To learn more about macros and the risks of enabling them, continue reading to find some useful tips at the end of the article.
What is Ordinaff capable of?
This is indeed a sophisticated Trojan that can:
- Take screenshots of infected systems between every 5 and 30 seconds;
- Send the screenshots to a remote C&C server;
- Download and execute RC4 cipher keys and issue shell commands.
On top of that, Ordinaff doesn’t come alone, as another piece of malware is also dropped after the initial compromise of the targeted system – Batel malware. Researchers say that Batel runs payloads exclusively in the memory, making it possible to endure silently in the background.
Another indication of the sophistication of the Ordinaff attack is the fact the Trojan requires manual intervention. The cyber criminals behind it can download and install new tools whenever they want, which means that the group is highly capable and resourceful.
What makes Ordinaff very dangerous and threatening is the fact that it targets organizations all over the globe. For now, it seems that the operators have mostly targeted banks in the US, Hong Kong, Australia, and the UK.
How to Stay Away from Macro Malware
For obvious security-related concerns, macros are disabled by Microsoft by default. However, cyber criminals know that and always find ways to make potential victims enable macros and get infected with malware.
In short, to stay safe against macro malware and its various payloads, follow these steps:
- Disable macros in Microsoft Office applications.The very first thing to do is check if macros are disabled in Microsoft office. For more information, visit Microsoft Office’s official page. Keep in mind that if you are an enterprise user, the system administrator is the one who is in charge of the macro default settings.
- Don’t open suspicious emails. Simple as that. If you receive an unexpected email from an unknown sender – like an invoice – don’t open it before making sure it is legitimate. Spam is the primary way of distributing macro malware.
- Employ anti-spam measures. Use anti-spam software, spam filters, aimed at examining incoming email. Such software isolates spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.
And don’t forget to keep your anti-malware program updated and running at all times!
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter