TruShield is now Avertium! To learn more and see what's new, visit

Multiple Threats to the Financial Industry

Email Us- 877.583.2841 -Request A Demo

Use This Form To Have A TruShield Team Member Contact You With More Information.

[gravityform id="8" title="false" description="false" ajax="true"]

Use This Form To Contact TruShield Inc Directly. Or you can call us at: 877.583.2841. We will respond back as quickly as possible!

Multiple Threats to the Financial Industry

This is a security alert for all TruShield clients, the financial services industry, and the community at large. We have learned of a wave of recent threats targeting the financial services industry. This variety of threats, poised to strike banks and financial institutions, currently includes: additions and alterations to existing malware families, a new banking Trojan, and a group of cyber criminals.

An Expected Trend

As anticipated by experts at TruShield, a rapid increase in threats to the financial services sector is under way with increasing ferocity. Recent developments in the second half of April have unveiled some of the latest salvos aimed particularly at North American, European, and Australian organizations in this sector, as well as organizations used globally for financial operations. First, this has included variants and alterations of known malware families. One such example is Multigrain, a variant of NewPos Things, discovered by researchers at FireEye. An additional example is the GozNym Trojan identified by researchers at IBM, which quickly shifted tactics and added a targeted region. Second, Proofpoint and Fox IT InTELL have produced findings on a new banking Trojan known as “Panda Banker”. Third, the cyber-criminal group FIN6 was discovered by FireEye. Each of these discoveries, along with a recent announcement by SWIFT has yielded important information for entities in the financial services industry to adjust their security posture.
Threat Details

As for each of the previously mentioned threats, each threat has some noteworthy details.

Multigrain operates similar to many previous POS malware and targets payment card data, but it aims only at systems running the multi.exe process. It also uses DNS queries for beaconing and data exfiltration, as well as Base32 encoding as an evasion technique since security and data loss prevention (DLP) products are less likely to detect information leaving the environment. GozNym’s change in tactics involves addition of a redirection attack using more than one C&C server and targeting of banks in Europe rather than merely North America. Redirection attacks have been seen in both the Dyre and Dridex families and the version used by GozNym involves two stages. Stage one is triggered when access to a bank URL, known to GozNym, is attempted and the user is instead given a fake page along with a blank overlay from one of the C&C servers. Stage two contacts a different C&C server, removes the overlay, and uses Javascript to phish for a username, password, and other details.

Panda Banker is being widely distributed by both targeted email and three major exploit kits. It emulates many previously discovered banking Trojans with one infection path involving a macro document and intermediate loader, but also collects a broader range of system information than some previous threats and can make automated online banking actions, like wire transfers. A large portion of Panda Banker is based on Zeus. Finally, FIN6 is a prime example of multiple malware, tools, credentials, and tactics used in conjunction by a malicious actor. The first stage of this APT’s operation is likely use of the Grabnew malware or stolen credentials produced by this malware family. These credentials are used for the second stage of movement within a victim’s network in order to access more sought after systems. This movement mainly involves use of commonly available tools and exploits in order to establish remote sessions disguised by SSH and thereby plant Trinity or FrameworkPOS malware on POS systems. Lastly, the criminals exfiltrate the payment data by a means such as ZIP files sent via FTP or public file sharing services and later is sold via the dark web.



Each of these threats provides another snapshot of current malicious tactics employed against the financial services industry. The best visibility is provided by the research on FIN6 which moves beyond a single piece of malware and provides a start to finish process of cyber-criminal activity. This exploration of the multiple stages involved in an attack also presents critical points to utilize security controls and the clear consequences when the proper steps are not taken. Information released regarding compromise of the SWIFT global network is also a cautionary tale about how too much reliance on a system can create a single point of failure, and any financial institution using this network should update the access software as soon as possible.


Indicators of Compromise

MD5 Hash (Multigrain)
SHA 256 (Panda Banker)
C&C Sites and IPs (Panda Banker)



Mitigation and Prevention

  • Do not open unsolicited email or attachments.
  • Monitor for Active Directory, registry, or file changes.
  • Use updated antimalware and antivirus, especially with real-time protection.
  • Continuously monitor network traffic for C&C activity, including DNS queries.
  • Keep systems and applications patched with current updates.
  • Isolate infected systems and consider a full system wipe.
  • Monitor processes for alteration or injection attempts.
  • Use application control software with a base deny policy.
  • Compare files with known IOCs.




Download the PDF Version

Leave a reply

Copyright © 2018