Watering Hole Attacks 2017: Banks Compromised with Downloader.Ratankba

Quite a few banks have been targeted in the so-called watering hole attacks. The attacks from January against Polish institutions where a booby-trapped site of the Polish Financial Supervision Authority was used were just the beginning of a series of unfortunate events. The final stage of the malicious operations was the delivery of Downloader.Ratankba.


What Is A Watering Hole Attack?

Basically, a watering hole attack is a security exploit that seeks to compromise a precise group of consumers by striking websites that the group is visiting regularly. The end goal is quite obvious – infecting the targets’ computers and obtaining remote access to the networks at the victims’ place of employment

The computer attack strategy has been identified in 2012 by RSA Security. The strategy can be quite efficient – we all visit our favorite pages on a regular, daily basis. Even though we can be quite smart and laugh at people that fall for phishing schemes, we could still become malware preys by simply jumping to a beloved page.


Now, let’s get back to the recent watering hole attacks that have been compromising various financial organizations. Several banks have now shared details of the incidents, and information about more incidents is coming to light. Researchers from Symantec and BAE Systems concluded that most affected institutions are in Poland, the US, the UK, Mexico and Chile.

Researchers at BAE Systems were able to identify more watering holes, like the websites of the National Banking and Stock Commission of Mexico and of a state-owned bank in Uruguay. The websites of the institutions were booby-trapped and contained code that triggered the download of malicious JavaScript files from compromised domains. The domains hosted an exploit kit which used Silverlight and Flash exploits. The final stage of the operation was, not surprisingly, malware distribution.

When examining the code on the exploit kit website a list of 255 IP address strings was found. The IPs only contained the first 3 octets, and would have been used to filter traffic such that only IPs on that subnet would be delivered the exploit and payload. The IP addresses corresponded to a mix of public and private financial institutions spread across the globe,” BAE Systems explained.

The Malware Distributed Previously Undetected: Downloader.Ratankba

Researchers reported that the malware used in these attacks was Downloader.Ratankba. Interestingly, the downloader has not been previously identified, and Symantec used generic detection signatures.

Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.

Lazarus is a hacking group that has been operating since 2009. It has been targeting institutions primarily located in the US and South Korea.


To stay protected against malware attacks of all types, users are highly advised to keep their systems protected at all times.

Download

Malware Removal Tool


Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.