$10 router blamed in Bangladesh bank hack ~ http://www.bbc.co.uk/news/technology-36110421
Two bytes to $951m ~ http://baesystemsai.blogspot.fr/2016/04 ... -951m.html
Bangladesh Bank hackers compromised SWIFT software ~ http://www.reuters.com/article/us-usa-n ... SKCN0XM0DR
Is the Bank of Bangladesh ready for the global economy? ~ http://garwarner.blogspot.fr/2016/04/is ... lobal.html
SWIFT comments on malware reports ~ https://www.swift.com/insights/press-re ... re-reports
evtdiag.exe > https://www.virustotal.com/en/file/4659 ... 461580951/
evtsys.exe > https://www.virustotal.com/en/file/ae08 ... 461580949/
nroff_b.exe > https://www.virustotal.com/en/file/5b7c ... 461580948/
gpca.dat > https://www.virustotal.com/en/file/b07b ... 461580947/
Had a fast look on it, evtdiag.exe check for the presence of gpca.dat into C:\Users\Administrator\AppData\Local\Allians\gpca.dat (Path in hard inside the executable.)
Then look for D:\Alliance\Access\common\\bin\Win32
App can be launched with parameters also.
Legitimate files from S.W.I.F.T Alliance Access suit:
nroff.exe - FA6E3EC0CA0AFFE7C0C9258156B2ADC0201F700D (Printer communication.)
sbr.exe - 7B2EF5A24E74614B5CEC734171791749B773D7EC (Executable with liboradb.dll import.)
About other malware interested by Swift, we have this Zeus here: http://www.kernelmode.info/forum/viewto ... 180#p28283 who have an entry *swift* on it's config. (File search by given mask.)
Two bytes to $951m ~ http://baesystemsai.blogspot.fr/2016/04 ... -951m.html
Bangladesh Bank hackers compromised SWIFT software ~ http://www.reuters.com/article/us-usa-n ... SKCN0XM0DR
Is the Bank of Bangladesh ready for the global economy? ~ http://garwarner.blogspot.fr/2016/04/is ... lobal.html
SWIFT comments on malware reports ~ https://www.swift.com/insights/press-re ... re-reports
evtdiag.exe > https://www.virustotal.com/en/file/4659 ... 461580951/
evtsys.exe > https://www.virustotal.com/en/file/ae08 ... 461580949/
nroff_b.exe > https://www.virustotal.com/en/file/5b7c ... 461580948/
gpca.dat > https://www.virustotal.com/en/file/b07b ... 461580947/
Had a fast look on it, evtdiag.exe check for the presence of gpca.dat into C:\Users\Administrator\AppData\Local\Allians\gpca.dat (Path in hard inside the executable.)
Then look for D:\Alliance\Access\common\\bin\Win32
App can be launched with parameters also.
Legitimate files from S.W.I.F.T Alliance Access suit:
nroff.exe - FA6E3EC0CA0AFFE7C0C9258156B2ADC0201F700D (Printer communication.)
sbr.exe - 7B2EF5A24E74614B5CEC734171791749B773D7EC (Executable with liboradb.dll import.)
About other malware interested by Swift, we have this Zeus here: http://www.kernelmode.info/forum/viewto ... 180#p28283 who have an entry *swift* on it's config. (File search by given mask.)
Attachments
infected
(70.06 KiB) Downloaded 92 times
(70.06 KiB) Downloaded 92 times
