Info security body finds no evidence of infection at Swiss banks as a result of “Sharpshooter” campaign

Maria Nikolova

Switzerland’s Reporting and Analysis Centre for Information Assurance is in touch with a number of banks but no evidence of infection has been found.

Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) has earlier today posted its 29th semi-annual report which addresses the most important cyberincidents of the first half of 2019 both in Switzerland and abroad.

MELANI noted the Lazarus attacks targeting Swiss banks. In March 2019, security software company McAfee published a follow-up to its December 2018 report on the Sharpshooter campaign. Last year, the campaign targeted 87 companies from all over the world, but mainly in the US. The companies concerned were from the defence, energy, nuclear and financial sectors.

In its second report, McAfee confirmed their initial suspicion that the Lazarus group was behind the attacks. The group is well known for having attacked systems at various banks and is considered by many experts to be connected to the North Korean regime.

In its first report on the matter, McAfee described attempted attacks against Swiss financial institutions.

Today, MELANI said it is in contact with a number of banks, as mentioned in the preceding semi-annual report.

“Then as now, no evidence of infection has been found at the potential target companies in Switzerland”, says MELANI.

Let’s recall that, in December 2018, security firm McAfee released a report on a newly discovered APT campaign against defence, energy, nuclear, and financial companies. The campaign called “Sharpshooter” began on October 25, 2018 with the sending of infected documents to individuals from 87 organisations around the world, mainly in the USA. According to the report, Swiss companies in the financial sector were also hit by the campaign.

Social engineering was used to get the recipients to open the infected documents. The letter was disguised as a letter of application and contained a link to a document on Dropbox which allegedly contained the application dossier. This method is particularly insidious because HR departments often receive unsolicited applications and usually open such documents.

The infection occurred via a macro contained in the Word document. Such macros are now blocked in many companies, or are activated only after confirmation of a corresponding warning message. If the macro is executed despite all warnings, the malware will smuggle Sharpshooter into the working memory of Word. The malware then installs a modular backdoor called “Rising Sun”. The functions of this component include collecting and sending information about documents, user names, network configuration, and system settings. The malware can also reload other functions.

The malware communicates via a command and control server controlled by the attackers.

In analysing the campaign, McAfee found evidence of connections to the “Lazarus” group: “Rising Sun” contains code and configuration data from the “Duuzer” family. Duuzer was also used in the hacker attack on Sony, which is associated with the Lazarus group.

Read this next

Retail FX

Malaysia regulator exposes OctaFX clone, shady FB profiles

Malaysia’s financial regulator today warned online investors about the risks of following investment tips made on social-media platforms.

Digital Assets

Crypto trading volume spikes at Swiss bourse amid FTX collapse

The shockwaves from the historic collapse of Sam Bankman-Fried’s crypto empire are still being felt across the industry, but some trading venues are actually doing better because of it.

Executive Moves

CMC Markets adds Camilla Boldracchi to institutional sales

UK’s biggest spread better, CMC Markets has promoted Camilla Boldracchi to take on an expanded role within its institutional sales desk.

Institutional FX

FXSpotStream reports $1.48 trillion in monthly volume for November

FXSpotStream’s trading venue, the aggregator service of LiquidityMatch LLC, reported its operational metrics for November 2022, which moved higher on a yearly basis but reflected weak performance across executed trade volumes when weighed against the figures of the prior month.

Retail FX

Interactive Brokers’ client activity drops 30% YoY

Interactive Brokers LLC (NASDAQ:IBKR) saw 1.95 million daily average revenue trades, or DARTS, in November 2022 compared to 1.96 million transactions in the prior month.

Digital Assets

The rise of Crypto ETPs in traditional exchanges as crypto winter deepens

Institutional investors are increasingly looking at traditional regulated exchanges as their first route into digital assets amid market turmoil caused by the crypto winter and the collapse of several big names within the space, including FTX. Acuiti and Eurex surveyed 191 buy and sell-side firms on their views of the digital assets markets in order […]

Digital Assets

TP ICAP’s crypto arm receives FCA’s go-ahead

UK interdealer broker TP ICAP has received a regulatory go-ahead to launch its cryptocurrency services in the UK. The bid shows that the recent collapse of FTX exchange has done little to damp the interest of big names in running their own crypto business.

Industry News

Coin Signals founder to pay $2,847,743 after prison sentence over crypto Ponzi scam

The U. S. District Court for the Southern District of New York has ordered Jeremy Spence, founder of Coin Signals, to pay $2,847,743 in restitution to victims of a fraudulent virtual currency scheme.

Digital Assets

CME Group goes DeFi: Reference rates and real-time indices of Aave, Curve, Synthetix

“These rates are designed to provide traders, institutions and other users transparency and price discovery across a much broader range of tokens, allowing them to confidently and more accurately value cryptocurrency sector specific portfolios and manage price risk around various blockchain-based projects.”