Protecting the Financial Sector: Early Detection of Trojan.Odinaff

The financial sector continues to be a prime target for highly sophisticated, customized attacks for an obvious reason - that’s where the money is. Earlier this year, the SWIFT money transfer system came under attack, resulting in an $81 million heist of the Bangladesh Bank. This number pales in comparison to estimates close to $1 billion stolen by the Carbanak group from over 100 banks worldwide.  

Earlier this month, Symantec detailed a new threat to the financial sector, which they said resembles the highly sophisticated Carbanak group.  In their excellent post, they describe Odinaff, a precision toolkit used by criminal actors with a narrow focus on the financial industry with tradecraft resembling that of nation-state hackers.  It appears that the malware is being used in part to remove SWIFT transaction records, which could indicate an attempt to cover up other financial fraud.  

Given the sophistication and stakes involved in the Odinaff campaign, we wanted to see how well Endgame’s early-stage detection capabilities would do against this emergent and damaging campaign. The verdict: extremely well.  Let’s walk through this campaign and show how it can be detected early and at multiple stages, before any damage.

 

Background

According to Symantec, the Odinaff trojan is deployed at the initial compromise. Additional tools are deployed by the group to complete their operations on specific machines of interest.  The group is conscious of its operational footprint and uses stealth techniques designed to circumvent defenses, like in-memory only execution.  The toolkit includes a variety of techniques offering the group flexibility to do just about anything including credential theft, keylogging, lateral movement, and much more.

The integration of multiple, advanced attack techniques with careful operational security is a trademark of most modern, sophisticated attacks.  We’ve put a lot of effort into developing detection and prevention techniques which allow our customers to detect and prevent initial compromise and entrenchment by adversaries (for example, see our How to Hunt posts on file paths and COM hijacking for more information on how we’re automating and enabling hunt operations across systems).  Our exploit prevention, signature-less malware detection, in-memory only detections, malicious persistence detection, and kernel-level early-stage adversary technique detections combine to make it extraordinarily difficult for adversaries to operate.  This prevents the adversary from establishing a beachhead in the network and protects the critical assets they’re after. Let’s take a look and see how this layering and integration of early stage detection and prevention fare against the Odinaff trojan. We tested the following dropper referenced in the Symantec post: F7e4135a3d22c2c25e41f83bb9e4ccd12e9f8a0f11b7db21400152cd81e89bf5.
 

Initial Malware Infection

According to Symantec, the initial trojan is delivered via a variety of methods including malicious macros and uploaded through an existing botnet.  The instant this malware hits disk, Endgame catches it. Our proprietary signature-less detection capability, MalwareScore™, immediately alerts that the new file is extraordinarily malicious, scoring it a 99.86 out of 100.  This would lead to immediate detection through Endgame.  

 

pic 3_odinaff.png

 

Persistence Detection

One of the first things the malware does is persist itself as a run key in the registry. Endgame’s comprehensive persistence enumeration and analytics cause the malicious Odinaff persistence item to clearly stand out, warning the network defender and enabling quick remediation.  The persistence inspection is crucial because even if the Odinaff actors had cleverly written their malware to evade our MalwareScore™, other characteristics of the dropped persistence item are caught by Endgame’s automated analytics. These include an anomaly between the filename on disk and the original compilation filename from Microsoft’s Version Info, the fact that it’s unsigned, outlier analysis highlighting the anomalous artifact in the environment, and more. All these analytics are presented to the user in a rich and intuitive user interface and point to the persistence item as very suspicious.

 

odinaff_analytics.png

 

In-Memory Detection

Endgame’s patent-pending detections of memory anomalies allow users to find all known techniques adversaries use to hide in memory.  On install, Odinaff sleeps for about one minute and then modifies its own memory footprint in a way which Endgame detects as malicious. The evasion technique used is uncommon and will be very difficult to detect with other endpoint security products, requiring at a minimum a tremendous amount of manual analysis.  On the other hand, Endgame highlights Odinaff’s in-memory footprint as malicious with high confidence in seconds.  Endgame discovers other known in-memory stealth techniques just as easily.

 

odinaff_inmem.png

 

Layered and Early Detection at Scale

This malware was not widely discussed in the security community before the Symantec report, yet these sophisticated attackers have been deploying Odinaff in the wild since at least January 2016, according to Symantec.  Signature-based techniques do not provide adequate protection as new threats emerge because it takes time for threats to become known and for signatures to be created and propagate.  

As we’ve described above, Endgame’s layered detection technology detects Odinaff with ease with no prior knowledge of signatures. By focusing on detection of techniques including in-memory stealth, which are seen time and time again as initial access is gained, detection and prevention can reliably take place early.  Early detection stops advanced adversaries from achieving their objectives and in turn prevents damage.  Take a look at the video below to walk through these layered defenses and see how Endgame detected Odinaff early and at various stages of the attack.