A series of phishing emails impersonating Reserve Bank of India (RBI) or other large banks like Axis Bank were sent to small co-operative banks in April, Quick Heal Security Labs’ enterprise security arm Seqrite reported.
The phishing emails carried text files referring to a circular or guideline for “operational or business continuity measures during covid-19″ and urged recipients to open attachments to get more detailed information.
Researchers at Seqrite found that the attachment in the phishing emails used document file extensions such as xlsx or pdf to appear harmless. They actually carried a malicious JAR file— a remote admin trojan that can run on any Windows, Linux, or Mac system which has Java runtime enabled.
The JAR file uses multi-layered obfuscation techniques to avoid detection by anti-virus solutions on the system, which is what makes them so dangerous. Once installed, the JAR file becomes JRAT (Java Remote Access Trojan) and takes admin control over the targeted device. It can send commands from a remote machine and spread further in the corporate network. The malware can also steal passwords and other credentials using keyloggers and can download additional payloads to steal more information.
Phishing emails exploiting interest in covid-19 and sent in the name of World Health Organisation (WHO), United Nations (UN) and CDC (Centre for Disease Control and Prevention) have been in circulation since the outbreaks started. The frequency has increased significantly in the last few weeks. Cybersecurity firm Check Point recently reported a 30% increase in covid-19 related cyberattacks over the past three weeks.
Phishing emails are common attack vectors and up to 32% corporate data breaches are triggered by them, as per a 2019 Verizon report.
Researchers at Seqrite believe the attackers had used social engineering methods to get email of employees of small co-operative banks which didn’t have a trained cybersecurity team on board.
Seqrite further warns that these attacks can seriously undermine privacy and security of critical data stored by the co-operative banks and can lead to large scale financial frauds. Attackers can steal customer data and sell them online or even create backdoors in banks database to steal credentials like SWIFT logins.
Seqrite has urged users and bank employees to not entertain unsolicited emails and avoid opening attachments or clicking on web links. Banks should also use comprehensive security solutions and keep operating systems up to date.