In a recent statement of SRI (The Romanian Intelligence Service) is shown that during this period is in progress cyber attack what it concerns Customers of Internet Banking platforms.
In the sense of all, the clients of the banks in Romania, who access the Internet Banking service on the PC through Chrome, Microsoft Edge or Firefox, have very high chances to make knownaccess credentials (personal access data on financial-banking patform) to those who launched the attack. This way, badly intentional people will have access to bank accounts, Authentication data at e-mail services and financial data. Note that the internet banking applications are not affected.
SRI brings some recommendations for all clients of banks using Internet Banking:
“- Use of anti-virus solutions and the constant updating of their signatures;
– Avoid opening the attachments in the form of an archive if their origin is uncertain and if they were not previously checked with anti-virus detection solutions;
– Avoid opening attachments or links from suspicious e-mail messages;
– updating the operating system and avoiding the use of operating systems that no longer receive support from the manufacturer;
– the notification of the bank when you notice Banking transactions that do not belong to you;
– disabling automatic execution of some routines in MS Office (macro-uri);
– Avoid manual execution of macroSITES.”
*The full release is available on sri.ro.
The group that launched this cyber attack use one of the most successful Malware applications From the last decade. Qbot.
Suctionis part of a family of malware (viruses) which over the years has undergone many changes in the source code level, being perfected by groups of Cyber crime and done “invisible” For the majority antivirus software.
At the beginning of QBOT, it was used as a simple Trojan type virus, capable of hiding in various forms of files in a Windows system, so that it can then extract confidential data, including users, authentication passwords on Internet Banking platforms.
In recent years, QBOT malware has acquired beside the potential of Trojan type virus, and the one of worm (Virme), able to propagate alone in a network after initially managed to penetrate into a computer in it. Moreover, the current threat puts in difficulty the companies producing antivirus software. QBot can be controlled from a distance from a command server if control (CC), where he receives regular updates capable of hiding and easily passing the control of antivirus software. Including digital signatures that are detected being “safe” by antivirus. Further, a software if it has a digital signature, it does not mean that it is definitely, as well as a website with https (SSL) can have a malware application or download. The worse part is that the digital signatures of the applications and the security of the websites https determine the browser, the operating system or the antivirus not to send alerts to users. Unarticol on the topic “HTTP / HTTPS” Find here.
At the beginning of QBOT, it was delivered by codePowerShell. His launch depended on the code in Visual Basic (VBS) which the victim was going to execute. At that time, companies that used e-mail services frequently were targeted. Becoming a common method of infiltrating malware, Powershell codes have been carefully monitored by antivirus software, and QBot has been modified, making it possible by other methods that are harder to intuit and detect.
Currently, Malware QBot can be executed automatically or manually by the victim through a file MS Word with macro (set of instructions / routines). This file comes by email in the form of a message “official” and “of trust”, which for the most Eori is not suspicious for antivirus software. If you do not open these files, you will be safe. following SRI advice, you can maintain your confidential / sensitive data.
Remember that best antivirus software are: caution, attention and awareness.
