Lastline Reveals Sophisticated Keylogger Exposure in Finance 

Criminals are stepping up their game, launching more sophisticated attacks against segment known for security capabilities

Lastline has uncovered an unusually large number of iSpy keylogger samples, a variant of the notorious HawkEye logger, targeting the financial services industry and finance departments across segments. This fully functioning keylogger sends victim’s credentials to a server under the keylogger operator’s control. By intercepting the communication with the command and control server, Lastline detected the active exfiltration of website, email and FTP credentials, as well as license key information for installed products.

The company’s new Finance-focused Malscape® Snapshot details the latest attacks and trends derived from the millions of malware samples that Lastline analyzes every week. The report found three separate strains of keylogger malware that are currently targeting finance.

The analysis also detected sophisticated Emotet and URSNIF keyloggers being delivered via Microsoft Office documents. These two strains of malware share an evasion module for detecting dynamic analysis environments, and common methods for infiltrating financial transactions such as a man-in-the-middle network sniffing capability and hijacking automated transfer payments. Being modular in nature, criminals have developed and added new features over time, including lateral movement, additional credential theft, and spam capabilities.

“We definitely detected a higher than usual incident of very sophisticated malware,” commented Andy Norton, Lastline Director of Threat Intelligence and the report’s author. “This is not surprising considering that finance has long been a target for cybercriminals and accordingly has elevated their security capabilities. Because of this, criminals are forced to up their game, which was very clearly seen in these recent samples.”

The overall trend data shared in the report covers all threats targeting finance departments across industries plus financial services companies over a 30-day period. Findings that highlights the use of more sophisticated malware against finance includes:

1. The percentage of total files that Lastline analyzed that were found to be malicious was 47 percent higher than the global data that Lastline reported in its recent Malscape Monitor Report.
2. The share of malware samples that display all four of the key advanced malware behaviors was 20 percent higher than the global average. Those behaviors are: the malware is packed to avoid static analysis, it evades dynamic analysis, it remains stealthy, and it steals credentials.

The full Malscape Snapshot: Finance report can be downloaded here.