Odinaff Trojan Taking Aim at Financial Services

Symantec warns of the growing risk from a malware variant that is targeting the SWIFT messaging system that banks use for financial transfers.

Odinaff Trojan

Symantec issued a warning on Oct. 11 about an emerging malware dubbed Odinaff that is going after the SWIFT messaging system used by banks for financial transfers. It's currently unclear what will be the precise financial impact of Odinaff.

"We estimate around 100 organizations were infected, but we don't have full visibility into all the infected organizations in the world," Eric Chien, technical director of Symantec Security Response, told eWEEK.

The Odinaff attack appears to have begun in January, impacting multiple countries, including the United States, Hong Kong, Australia, the United Kingdom and Ukraine. Symantec's analysis has determined that 34 percent of Odinaff attacks were directly against the financial service sector. Approximately 60 percent of attack targets were classified as being unknown, though Symantec has determined that in most of the unknown target cases, financial software applications were the target.

In addition, Symantec discovered that Odinaff targets have included users of the SWIFT financial messaging system. The SWIFT system has been under pressure in 2016, with attackers stealing approximately $81 million from multiple victims.

Symantec classifies Odinaff as a Trojan, which is a class of malware that is designed to help infiltrate a network and enable backdoor access. According to Symantec's analysis, Odinaff is used in the first part of an attack against a financial institution, with additional tools deployed once Odinaff is installed.

Of particular note is how the Odinaff Trojan actually gets into an organization. One of the methods used is a malicious Microsoft Office macro. The other method involves the use of a password-protected RAR archive file. In both cases, the attack attempts to trick an unsuspecting using into clicking on an item, which ends up deploying the Odinaff Trojan.

"No vulnerabilities are used in these attacks," Chien said. "The attackers simply use social engineering to trick users into running the malicious macros."

Once Odinaff is on an infected device, it downloads additional tools to find and then exfiltrate data. Symantec's analysis found that following a successful Odinaff deployment, attackers make use of multiple legitimate network analysis tools, including NetScan and PowerShell. The Odinaff attacks also make use of Mimikatz, which is a popular open-source password recovery tool.

While the source of Odinaff has yet to be identified, Symantec suspects there is a connection to the Carbanak hacking group that has been active since at least February 2015 attacking financial services firms.

Chien said there are two main links between Odinaff and Carbanak. "Breaches that were attributed to Carbanak used the same IP addresses as Odinaff, and machines that were infected with Carbanak were also infected with Odinaff," he said. "However, this is not enough evidence to say they are the same group."

While Odinaff does represent a threat, protecting against the risk isn't complex. Symantec's recommendation is for organizations to use a multilayered approach to provide protection against all stages of the attack, according to Chien. The approach includes the use of antivirus, intrusion prevention and email security technologies.

"Additionally, it's important to educate users on the dangers of launching email attachments without verifying the source," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.