360 Security Guard · 2016/06/02 11:52

Author:360 Chasing the Sun team

Recently, banks in Bangladesh, Ecuador, Vietnam, the Philippines and other countries have been reported to have been hacked and tried to steal money, these incidents are targeted at the SWIFT interbank transfer system, the relevant banks to attack and steal. 360 chasing The Sun team made an in-depth analysis of the intercepted malicious code samples used in the hacker attack on Vietnam Pioneer Bank, and thus made a preliminary exploration of the hacking techniques involved in this incident.

0 x00 overview


As the $81 million hack of Bangladesh’s central bank heats up, other cyber attacks on banks’ SWIFT systems have been revealed one by one, as shown in the table below:

Table 1 Summary of attacks on banks

Based on their analysis of malicious code and methods, as well as research from other security vendors, the 360 Tracking team speculated that the same group might be behind the attacks on Bangladesh Central Bank and Vietnam Pioneer Bank, possibly Lazarus, the group revealed by Operation Blockbuster. Chinese institutions are also among the group’s main targets.

This report mainly conducts in-depth analysis on the related attack events and samples of Vietnam Pioneer Bank, and does not make in-depth correlation between the attack event of Bangladesh Central Bank and Lazarus organization for the time being. We will give detailed introduction to the association attribution analysis of related events or organizations in the subsequent association analysis report.

About the Lazarus hacking group

On February 25, 2016, the Lazarus hacking group and related attacks were analyzed and uncovered by security companies including Kaspersky Lab, AlienVault LABS, and Novetta. Lazarus was the group behind the DarkSeoul attack on South Korean financial institutions and media companies in 2013 and the Sony Pictures Entertainment (SPE) attack in 2014.

Table 2 Major events related to historical activities of Lazarus organization node

0 x01 about SWIFT


The full name of SWIFT is Society for Worldwide Interbank Financial Telecommunication, and its Chinese name is “Worldwide Interbank Financial Telecommunication Association”. In May 1973, by the United States, Canada and Europe – some big banks formally established SWIFT organization, its headquarters is located in Brussels, Belgium, it is to solve the financial communication of various countries can not adapt to the rapid growth of international payment and clearing and set up a non-profit organization, responsible for the design, establishment and management of SWIFT international network. To facilitate the transmission and routing of international financial information among members of the organization.

SWIFT is now used by most banks in most countries around the world. The use of SWIFT enables banks to provide safe, reliable, fast, standardized and automated communication services for settlement, thus greatly improving the settlement speed of banks. As the format of SWIFT is standardized, SWIFT messages are mainly used in the format of letters of credit at present.

1. Services provided by SWIFT

  • Access Services (Connectivity)

    SWIFTAlliance Access and Entry, SWIFTAlliance Gateway, SWIFTAlliance Webstation, and File Transfer Interface.

  • Financial Messaging

    Transmission modes include SWIFTNet FIN, SWIFTNet InterAct, SWIFT FileAct, and SWIFTNeBrowse.

  • Transaction Processing Services

    Provide transaction processing matching services, real-time reporting of bilateral netting clearing services, B2B support for end-to-end electronic payments in commerce, etc.

  • Analytical Services and Tools

    Provide supporting services to financial institutions, that is, analytical services and analytical tools.

2. SWIFT CODE

SWIFT Code is a Bank identification Code proposed by the Association and approved by ISO. Its original name is BIC (Bank Identifier Code).

Each bank applying to join SWIFT organization must work out its own SWIFT address code in accordance with the uniform rules of SWIFT organization in advance, which will take effect after being approved by SWIFT organization. SWIFT Code consists of 8 or 11 letters or numbers.

Code format:

  • 8 yards long – XXXXXXXX

  • 11 yards long – XXXXXXXXXXX

The meanings of each part are as follows:

A. Bank code: composed of four easily identifiable initials of the bank name, such as ABOC, ICBK, CITI, etc.

B. Country code: composed of two letters according to the provisions of the International Organization for Standardization, such as CN, HK, GB, US, DE, etc.;

C. Area code: consists of two digits or letters to indicate the city, such as BJ, HH, or SX.

D. Branch code: it consists of three digits or letters to identify the branch, such as 100, 010, CJ1, 400, etc. If it represents the head office, XXX is used.

3. The SWIFT message

According to the needs of international settlement business, SWIFT has formulated relevant standard formats of messages, which can be divided into two types:

  • Standard FIN-based MTs

  • A new XML-based standard called MXs

MTs (MTnXX) : N (0-9) indicates the Type of the packet, XX indicates the classification of the N Type. Currently, there are 10 types of packets, and types 1, 2, 3, 5, 7, and 9 are most commonly used.

MXs: In 1999, SWIFT organization chose XML encoding as a new generation standard, and decided to finally apply a new generation of XML-based standards (MXs). At present, the two standards coexist, and MX standard consists of 12 types of messages.

SWIFT MT message

According to the actual operation of banks, SWIFT MT messages can be divided into ten categories:

Table 3 Ten types of SWFIT MT messages

Categories 1 to 8 of SWIFT messages are all secured telegrams, which require SWIFT cryptography. SWIFT secret is independent of telex secret, exchanged between agent banks, and only used by both parties in sending and receiving SWIFT telecommunication. The other two types are unencumbered packets.

4. T950 account

MT950 range

This is the format of the message sent by the account line to the opening bank to give details of all amounts incurred on the opened account.

MT950 guidelines

  • The manner in which fees, interest and other adjustments are applied

    1. List the number of MTn90 cost notification messages that have been sent;

    2. If the charges are first notified to the opening bank by means of this statement, the following conditions must be met:

      1. Must be identified by the relevant business number, such as the original business number of the opening bank;

      2. The principal must be shown separately in the statement of account.

  • The amount in the statement must be the same as the amount in the original transaction. Where a charge is clearly stated in a business message, or is an essential part of a message (e.g. collection), it need not be specifically stated in the statement;

  • Account banks shall not combine their separate businesses. If the original receipt and payment message is multiple transactions, the statement should still be accounted for separately, and each debit must refer to field 20 in the original message.

  • It is recommended that at the end of each business day, as long as there is an amount in the account, the account line will send MT950;

  • In order to facilitate manual check, it is suggested that the amount in the account statement is first arranged by debit and credit, in the debit and credit two categories respectively by the date of interest, with the date of interest, credit, according to the amount from small to large arrangement;

  • The contents of a statement can consist of several packets.

Detailed MT950 domain

  • Field 20: indicates the number of the sending line

  • Domain 25: account

    The account number that lists the statement.

  • Field 28C: statement number/page number

    The contents of this field indicate the consecutive statement number and the page number of each statement message respectively.

  • Field 60A: starting balance

    State the book balance of the account at the beginning of the period to which the statement relates; Or the transition starting balance for each page when a message is paginated. Its contents include:

The content of this field must be the same as that of the previous account statement packet field 62A. The field code in the packet is 60F only when the packet is the first page of the statement of a certain period or the statement is not paginated.

  • Domain 61: Statement breakdown

    Give details of each transaction. This field can be used repeatedly within the capacity of packets. The content of this field has nine subfields in the following order:

    1. If it is the amount and fee received and paid through SWIFT message, its type is: Snnn The three digits following the letter S are the format code of SWIFT message.

    2. In the case of the amount and fees received and paid through non-SWIFT messages, its type is shown as “Nxxx” and the three letters after the letter “N” are replaced by one of the following codes to indicate the reason for the receipt and payment of the funds:

    3. The amount first notified to the accountee by this statement (which occurred at the account bank and has not been notified to the Accountee prior to the sending of this statement) is of the type “Fxxx”. The three letters following the letter “F” must be the appropriate code to indicate the reason for the debit or credit (code same as 2).

  • Area 62A: Book Balance (Closing balance)

    If the statement is not paginated or a statement is the last pagination of the statement (when the statement consists of several messages), the field code “62F” in such a message is the last balance of the account balance at the end of the statement, and the balance must appear in the field “60F” of the next statement. If this article is not the last page of the statement, the field code is “62M” and its content is the passing account balance, which must appear in “60M” on the next page. Its content has four subdomains, and its structure is the same domain as “60A”.

  • Domain 64: valid balance

    If the field lists a credit balance, it is a valid balance. If the debit balance is stated, the account holder is liable to pay interest on it. Its content has four subdomains, and its structure is the same domain as “60A”.

0x02 Attack Event Analysis


1. Overall process

Figure 1 Overall relationship flow

In the Attack on Pioneer, the malicious CODE was embedded with SWIFT codes from eight banks where Vietnamese banks had proxy accounts. The sample of Fake PDF Reader seen so far was not intended to attack the banks on the list, but rather to remove confirmation of transfers between Vietnamese banks and their local banks (tampering with MT950 statements). That way the bank’s monitoring system won’t pick up the improper transactions.

2. Function Overview

Fake PDF Reader disguised as Foxit Reader (Foxit PDF Reader), the original Foxit Reader.exe is renamed Foxlt Reader.exe, activated when the banking system calls Foxit to print PDF, converts PDF to XML, Based on whether there is a packet matching the configuration file, modify the matched packet, convert it back to PDF, and invoke the original FoxitReader to print it. And delete the temporary files and the database of eligible transaction records.

FIG. 2 Diagram

Figure 3 configuration file format

3. Case: MT950 statement (PDF) details

Figure 18 MT950 Statement (PDF)

The image above shows the PDF version of the MT950 statement, which explains the key message fields of the statement (shown in bold), and the blue boxes are where the Fake PDF Reader malware needs to be identified and modified (the blue text is the description of the specific actions).

Below is a normal PDF statement and a doctored PDF statement. The red background on the left shows the account balance and valid balance that the attacker wants to delete and modify.

Figure 19. Normal PDF statement (left), doctored PDF statement (right)

4. Technical details

Fake PDF Reader analysis

FIG. 4 Functional flow chart

The Fake PDF Reader program comes from Foxit PDF SDK and relies on the dynamic library fPDFSDK.dll.

A. Read the configuration file

The configuration file is xOR encrypted and the KEY is 7C4D5978h. The path is C :\ Windows \temp\WRTU\ lmutilps32.dat.

Figure 5 Reading the configuration file

B. Processing parameters

The value must be at least four, including FoxitReader path, /t, PDF path, and Printer IP.

C. PDF modification

Figure 6. PDF modification execution process

  • PDF to XML: The pdf2HTML library is called with the -xml parameter, converted to XML, and the file is placed in a temporary directory.

    Figure 7. PDF to XML

  • Read the XML file: search for the line where Instance Type and Transmission exists, skip 9 lines, and match the SWIFT message Type string. If there is FIN 950, the 950 message is processed; if there is no FIN 950, the non-950 message is processed.

  • 950 Message processing: match Sender field, find Sender’s SWIFT Code, match is in the list. If so, locate the Opening Balance line, skip 9 lines, read the Amount value, and convert to Int64. Continue to skip 2 lines and match whether it is Debit or not. Loop reads all Opening Balance transactions and string comparisons in the configuration file. If yes, set the delete flag and add the data. According to the data accumulated above and compared with this data, write data after settling accounts and set Debit/Credit flag. After the modification, add a new page, add all rows again, and delete the previous page.

    Figure 8 The default SWIFT CODE inside the malicious CODE

    Table 4 The specific bank name corresponding to the preset SWIFT CODE inside the malicious CODE

  • Non-950 message processing: Reads from the Sender line, matches the configuration file, deletes the entire page on success.

  • Fix the coordinates of the rows in the XML, fix the font of the specified rows, and fix the values of Avail Bal (Avail Funds).

  • Delete temporary files.

Figure 9 Deleting temporary files

  • XML to PDF.

D. call the real FoxitReader.exe with the original arguments

Figure 10 calls the real FoxitReader

E. If the command fails, call LogClear

Figure 11 calling LogClear

F. Delete temporary files at last

LogClear analysis

Figure 12. Function flow chart

The initialization operation is performed based on the number of parameters passed in. If the initialization operation is performed, the clearing operation is performed directly if there are no parameters.

Command parameter format: ‘-f

-l



Figure 13 Format of related parameters

To further delete the contents recorded in the file, format a file name according to the parameters, and delete the records related to the message file.

File name format: %s\\%s_%d%.2d%.2d. TXT, the first %s is the path read from the configuration file, the second %s is the following character string content, followed by %d indicates year, month, and day.

Figure 14 reads related content

Finally, sqlcmd.exe is used to delete the records of message files in the database.

Figure 15 Clearing error log 1

Figure 16 Clearing error log 2

Figure 17 Clearing graft_history

Homology analysis

In this report, we mainly conduct in-depth analysis on the attack events and samples related to Vietnam Pioneer Bank, not other attacks for the time being

The homologous sample expansion in the event is introduced in detail. This section simply proves that there is a certain connection between the two.

The relationship between Vietnam Pioneer Bank, Bangladesh Central Bank and Lazarus group will be described in detail in the later association analysis report.

0 x03 summary


From disguising malicious programs as Foxit Reader to parsing and precise tampering of MT950 statement PDF files, the attackers are familiar with the bank’s internal trading systems and processes.

For Vietnam pioneer bank targeted attacks and attacks on the central bank and other Banks in Bangladesh before, is not independent of the attack, the homology of relevant samples from 360 after team analysis and analysis of the research of the other vendors, attacks on Vietnam pioneer bank and the bank of Bangladesh is likely to come from the same organization, The group behind it is believed to be Lazarus, which was revealed by Operation Blockbuster.