A new form of phishing attack is targeting users of SWIFT financial messaging services, according to Comodo Threat Research Lab.
Victims receive an email disguised as a message from SWIFT, about a “wire bank transfer to your designated bank account,” and are directed to click the attachment for further details
Comodo analysts discovered that the message is “nothing but malware — Trojan.JAVA.AdwindRAT,” the firm states in a blog post published on Wednesday. “Once it has penetrated a user’s system, it modifies the registry, spawns many processes, checks for an antivirus installation and tries to kill its process.”
The malware also checks for the presence of “forensic, monitoring or anti-adware tools, then drops these malicious executable files and makes a connection with a domain in the hidden Tor network,” the blog post continues
Finally, if it can, it disables the Windows restore option and the User Account Control, which prevents programs from being installed without the user being aware of it, Comodo warns.
The purpose is likely spying or reconnaissance, Comodo analysts say.
“The attackers send their 'cyberspy' to collect information about the attacked enterprise network and endpoints, thus preparing for the second phase of the cyberattack with additional types of malware,” the post continues.
The end game: “Having the precise information about the enterprise, these cyberattackers can even create malware specifically adjusted to the target environment to bypass all defensive mechanisms of the enterprise and hit the heart of the target,” Comodo adds in its post.
According to Comodo, SWIFT connects over 11,000 banking and security organizations, market infrastructures and corporate customers across over 200 countries.