Salted Hash Ep 7: Matrix Banker malware and insider threats

Justin Fier, director for cyber intelligence and analysis at Darktrace, talks about the return of Matrix Banker and insider threats

This week's episode of Salted Hash takes a look at insider threats and the return of Matrix Banker, a family of malware that is targeting organizations in Mexico. Our guest is Justin Fier, the director for cyber intelligence and analysis at Darktrace, the organization that spotted the second wave of Matrix Banker attacks.

Matrix Banker:

Matrix Banker was first discovered in late May (and disclosed in early June) of 2017 by Arbor Networks. Targeting countries in Latin America, the name comes from the malware's C2 (Command & Control) admin portal, which uses a Matrix theme.

At the time, the malware was still under development, but it was being distributed by the Beta Bot. Once it's fully installed on a victim's system, it uses browser injects to direct them to a phishing page mimicking a given financial institution in order to harvest credentials. The targeted financial institution rotates, and the actual target is listed in a web inject config file sent down from the C2 server.

Between August and September of 2017, Darktrace detected Matrix Banker targeting Mexican companies using many of the previously observed tools, techniques, and procedures (TTPs). However, while the malware seemed to target businesses in the finance industry when it was originally detected, the latest attacks expanded the target pool considerably.

"Between August and October 2017, Darktrace detected highly anomalous behavior on five seemingly unrelated networks in Mexico. Unlike the original strain of this attack, which was believed to target financial institutions almost exclusively, this latest variant affected customers across a number of industry verticals, suggesting that the threat actors are diversifying their targets. Darktrace has seen the attack hit companies in the healthcare, telecommunications, food and retail sectors," Darktrace explained in a blog post.

Insider threats:

On and off throughout the year, there has been a constant push in marketing and PR circles for insider threats. While some will scoff at the marketing attempts, the threat that a malicious insider represents is real.

"Insider threat is very difficult to catch, because there is no rule or signature you can write for it. There is no SEIM query you can write to catch it," said Fier.

It comes down to detecting when employees start deviating from their normal pattern. This includes intentional (malicious) deviations and those that stand out, but were ultimately accidents. The problem is, determining normal isn't as simple as it sounds. It takes time, and baselines change alongside the business itself.

Fier says that he recommends insider threat hunting teams, which identify risks and active threats. It's also important that these teams include Human Resources, as they know the people better than anyone.

Related:
NEW! Download the Fall 2018 issue of Security Smart