Fourth bank linked to SWIFT payments attacks - this time in the Philippines

Bank in the Philippines the latest identified victim following analysis of malware used in attempted cyber heist

A bank in the Philippines is the latest to be identified in a string of attacks over the past year that has targeted their SWIFT payment systems.

The link was made by security software and services company Symantec. It claims that the same gang that successfully got away with $81m from Bangladesh Bank, the central bank of Bangladesh, was also behind attacks on banks in Vietnam and now the Philippines.

According to Symantec, the tools known to have been used in all of the attacks except Ecuador's Banco del Austro share code similarities. It claims that an analysis of the code links it to a "threat group" known as Lazarus. The tools used in the attacks against Banco del Austro aren't currently known and it is exceptional in the sense the bank has launched legal action against the beneficiary's banks.

"Symantec has identified three pieces of malware which were being used in limited targeted attacks against the financial industry in South-East Asia: Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee," claimed Symantec's Security Response team in a blog post this weekend.

It continued: "At first, it was unclear what the motivation behind these attacks were, however code sharing between Trojan.Banswift (used in the Bangladesh attack used to manipulate SWIFT transactions) and early variants of Backdoor.Contopee provided a connection."

According to Symantec, security software and services companies are cooperating closely in an initiative called Operation Blockbuster in a bid to better protect themselves and their clients against Lazarus. As part of the initiative, vendors are circulating malware signatures and other useful intelligence related to these attackers, claims the company.

"The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region. While awareness of the threat posed by the group has now been raised, its initial success may prompt other attack groups to launch similar attacks. Banks and other financial institutions should remain vigilant," warned Symantec.