McAfee Labs, the popular cybersecurity company owned by renowned hacker and crypto investor John Mcafee, released a report on March 8, 2018 indicating that several businesses in Turkey could have been compromised due to the spread of a malware that gave attackers control over much of the information they handled as well as various remote access tools.
“Based on our analysis, financial organizations in Turkey were targeted via spear phishing emails containing a malicious Microsoft Word document. The document contains an embedded Adobe Flash exploit, which was recently announced by the Korean Internet Security agency. The exploit, which takes advantage of CVE-2018-4878, allows an attacker to execute arbitrary code such as an implant “.
The malware has an almost exact resemblance to the structure of one that was already identified and neutralized in 2016 when a series of attacks were perpetrated on the SWIFT system, attempting to steal the amount of US$951 million by installing a “clone” of the Foxit Reader PDF reader.
This malware, identified as “Bankshot” reappeared a few days ago, and due to its similarity of coding, many FBI experts, analysts at the Department of Homeland Security and independent researchers have associated its creation with the “Hidden Cobra” group. This team of crackers has been officially linked to North Korea according to official reports from the United States, in which they do not provide evidence to support their findings.
Malware starts with an invitation to download an agreement template for Bitcoin (available on Coinbase) distribution between an unknown individual in Paris and a crypto exchange. The address of the exchange resembles the one of cryptocurrency-lending platform FalconCoin but with a small change: instead of being www.falconcoin.co (currently unavailable), the address leads to www.falcancoin.io
After downloading the agreement, the malware self-executes “(giving) an attacker full capability on a victim’s system“.