Seqrite, an enterprise arm of security firm Quick Heal Technologies, detected a new wave of Adwind Java Remote Access Trojan (RAT) campaign targeting Indian co-operative banks by taking advantage of COVID-19 pandemic.
Seqrite warned that attackers were trying to take control of employees’ devices to steal sensitive data like SWIFT logins. “These banks are usually small in size & may not have a large team of trained cybersecurity personnel, which, potentially, has made them a target for cybercriminals,” Seqrite said in a statement.
According to Seqrite, the Java RAT campaign begins with a spear-phishing email, which claims to have originated from the Reserve Bank of India or a nationalized bank. The email refers to the COVID-19 guidelines or a financial transaction detailed in an attachment, which is a zip file containing a JAR-based malware. Seqrite observed that the JAR-based malware can run on any machine which has Java runtime enabled and can impact a variety of endpoints, irrespective of their base Operating System.
Once the Trojan is installed, the hacker can take over the victim’s device, send commands from a remote machine, and spread across the network. The malware can also capture screenshots, download additional payloads, log keystrokes, and extract sensitive user information. “These attack campaigns can effectively jeopardize the privacy and security of sensitive data at the co-operative banks and result in large scale attacks and financial frauds,” the statement added.
Quick Heal urged users to exercise proper security measures and avoid opening email attachments and clicking links in unsolicited emails.
Cyberattacks on Indian Banks
A number of cyberattacks have been reported on banks in India, causing a huge financial impact on the banks and their users. Recently, cybersecurity firm Group-IB detected a database containing over 460,000 payment card records of Indian banks on the darknet for sale. The database, named “INDIA-BIG-MIX (full name: [CC] INDIA-BIG-MIX (FRESH SNIFFED CVV) INDIA/EU/WORLD MIX, HIGH VALID 80-85%, uploaded 2020-02-05 NON-REFUNDABLE BASE”, was kept on “Joker’s Stash”, a dark web marketplace for trading stolen cards data.
While the source of the database remains unknown, Group-IB notified Indian Computer Emergency Response Team (CERT-In) about the database leak. According to Group-IB, the database contains 461,976 payment records, card numbers, expiration dates, CVV/CVC codes, cardholders’ full name, email IDs, contact details, phone numbers, and addresses. It is estimated that the underground market value of these cards’ data would be more than $4.2 million.