Info security body finds no evidence of infection at Swiss banks as a result of “Sharpshooter” campaign

Maria Nikolova

Switzerland’s Reporting and Analysis Centre for Information Assurance is in touch with a number of banks but no evidence of infection has been found.

Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) has earlier today posted its 29th semi-annual report which addresses the most important cyberincidents of the first half of 2019 both in Switzerland and abroad.

MELANI noted the Lazarus attacks targeting Swiss banks. In March 2019, security software company McAfee published a follow-up to its December 2018 report on the Sharpshooter campaign. Last year, the campaign targeted 87 companies from all over the world, but mainly in the US. The companies concerned were from the defence, energy, nuclear and financial sectors.

In its second report, McAfee confirmed their initial suspicion that the Lazarus group was behind the attacks. The group is well known for having attacked systems at various banks and is considered by many experts to be connected to the North Korean regime.

In its first report on the matter, McAfee described attempted attacks against Swiss financial institutions.

Today, MELANI said it is in contact with a number of banks, as mentioned in the preceding semi-annual report.

“Then as now, no evidence of infection has been found at the potential target companies in Switzerland”, says MELANI.

Let’s recall that, in December 2018, security firm McAfee released a report on a newly discovered APT campaign against defence, energy, nuclear, and financial companies. The campaign called “Sharpshooter” began on October 25, 2018 with the sending of infected documents to individuals from 87 organisations around the world, mainly in the USA. According to the report, Swiss companies in the financial sector were also hit by the campaign.

Social engineering was used to get the recipients to open the infected documents. The letter was disguised as a letter of application and contained a link to a document on Dropbox which allegedly contained the application dossier. This method is particularly insidious because HR departments often receive unsolicited applications and usually open such documents.

The infection occurred via a macro contained in the Word document. Such macros are now blocked in many companies, or are activated only after confirmation of a corresponding warning message. If the macro is executed despite all warnings, the malware will smuggle Sharpshooter into the working memory of Word. The malware then installs a modular backdoor called “Rising Sun”. The functions of this component include collecting and sending information about documents, user names, network configuration, and system settings. The malware can also reload other functions.

The malware communicates via a command and control server controlled by the attackers.

In analysing the campaign, McAfee found evidence of connections to the “Lazarus” group: “Rising Sun” contains code and configuration data from the “Duuzer” family. Duuzer was also used in the hacker attack on Sony, which is associated with the Lazarus group.

Read this next

Retail FX

ThinkMarkets expands CFDs lineup to over 4000 ETFs and shares

ThinkMarkets has expanded its service offering by incorporating 2500 new CFDs on shares and ETFs on its ThinkTrader platform.

Retail FX

France regulator warns investors of Omega Pro,

France’s financial markets regulator alerted investors that scams related to Omega Pro Ltd are beginning to circulate, with the blacklisted firm capitalizing on the situation to run a range of “unrealistic” offers.

Digital Assets

Web3 platform Grand Time paid $2 million in token earnings to date

Community-driven Web3 platform Grand Time said its offering – which includes a multifaceted platforms and its native token – has been gaining significant traction highlighted by impressive operational metrics.

Institutional FX

FX volumes at MOEX halved in April as ruble gains gorund

Currency trading at Moscow Exchange (MOEX) halted its upward route in April as monthly volumes nearly halved from a month earlier.

Digital Assets

FTX US adds stock trading, fractional shares to crypto platform

FTX US, the American subsidiary of crypto exchange FTX has kicked off stock trading feature to its customers in an effort to compete with popular platforms such as Robinhood and eToro.

Industry News

UK FCA empowered to remove brokers’ permissions in 28 days

Businesses with permissions they don’t need or use, risk misleading consumers. These new powers will enable us to take quicker action to cancel permissions that are not used or needed.

Industry News

CFTC charges $44m Ponzi scheme but millions may have fled to foreign crypto exchange

The CFTC alleged that defendants transferred millions of dollars to an off-shore entity that, in turn, may have transferred funds to a foreign cryptocurrency exchange. None of these funds were returned to the pool.


Saxo Bank deploys Adenza to address Basel and EBA requirements

The integration of ControllerView will enhance Basel-driven capital calculations and reporting at Saxo Bank in support of the bank’s multijurisdictional capital and liquidity reporting requirements throughout Denmark, Switzerland and UK, with plans to expand into the Netherlands.

Executive Moves

ComplySci appoints CTO, CPO, and CLO to further regtech’s product expansion

ComplySci offers compliance software used by more than 1400 global institutions to identify risk and address regulatory compliance challenges.