Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform

Customized malware hid $81 million of wire transfers until the money had been safely laundered.

A cyber bank heist of $81 million from Bangladesh Bank (BB) in February probably involved highly customized malware written specifically to exploit vulnerabilities in the banks poorly secured local environment,
according to researchers at BAE Systems
. Though it did not exploit a vulnerability in the SWIFT financial software per se, the malware hid all evidence of the attackers fraudulent wire transfers by fooling the SWIFT software in a variety of ways.
As
Reuters reported in February
, the attackers -- whose identities remain unknown -- first obtained the credentials the bank uses to approve payments. Then, they bombarded the Federal Reserve Bank of New York with nearly three dozen requests to move money from the Bangladesh Banks account there to entities in the Philippines and Sri Lanka.
The campaign would have been even costlier if the attackers hadnt drawn attention to themselves by simply
being careless with their spelling
. Hackers misspelled foundation in the NGOs name as fandation, prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said. By this time, $80 million of transactions had already gone through, but, fortunately, $850 to $870 million of other attempted transactions were stopped. Some of the funds have been recovered.
If the attackers had had better editors, BB might have been out $1 billion, based upon what BAE Systems has discovered about the stealth malware on their systems -- which BAE believes was probably part of a bigger toolkit installed on the environment. They are not sure at this point how the initial infection took place, but the malware registers as a service in the environment running the SWIFT software.
One of the malwares tricks: it includes a module that replaces a 2-byte conditional jump with a do-nothing instruction -- effectively forcing the host application to believe that the failed check has in fact succeeded, thereby giving itself the ability to execute database transactions, BAE said.
It manipulated the record of account balances, and monitored all the messages sent via SWIFT. It evens sent doctored copies of wire transfers to printers, and then deletes the records of them.
The code itself contained detailed information about the banks environment. From Reuters, today:
Adrian Nish, BAEs head of threat intelligence, said he had never seen such an elaborate scheme from criminal hackers.
I cant think of a case where we have seen a criminal go to the level of effort to customize it for the environment they were operating in, he said. I guess it was the realization that the potential payoff made that effort worthwhile.
SWIFT, meanwhile, responded today
, deflecting any responsibility for the vulnerability:
SWIFT is aware of a malware that aims to reduce financial institutions’ abilities to evidence fraudulent transactions on their local systems. Contrary to reports that suggest otherwise, this malware has no impact on SWIFT’s network or core messaging services.
We understand that the malware is designed to hide the traces of fraudulent payments from customers’ local database applications and can only be installed on users’ local systems by attackers that have successfully identified and exploited weaknesses in their local security.
Bangladeshi Police are not letting SWIFT entirely off the hook, according to Reuters, stating that both the bank -- which had seriously deficient security -- and SWIFT are to blame.
This heist has also been cloaked in some mystery. A cybersecurity researcher investigating the attack reportedly
went missing
March 16, the day after stating that hed discovered three user IDs involved, and was possibly abducted. Police found him wandering the streets of Dhaka, Bangladeshs capital city, March 23, alive but in a dishevelled state, and decided to simply drive him home without questioning him while he was in that state, according to
IB Times
.
Related stories:
Cybersecurity Expert Assisting With Bangladesh Bank Heist Probe Goes Missing

From NY to Bangladesh: Inside an Inexcusable Cyber Heist

Hackers Typo Foils Their $1 Billion Wire Transfer Heist

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Malware At Root Of Bangladesh Bank Heist Lies To SWIFT Financial Platform