Overview

The Bangladesh Bank heist was a meticulously executed cybercrime that resulted in the theft of $81 million, leveraging vulnerabilities in banking systems and the SWIFT payment network. This article delves into the technical aspects of the attack, exploring the methodologies, tools, and preventive measures.

1.0 Reconnaissance and Initial Compromise

1.1 Attack Vector: Spear Phishing

• The attackers used spear-phishing emails to compromise employee devices. These emails contained malicious attachments masquerading as legitimate documents, likely in PDF or Excel formats.
• The malware embedded in these attachments executed scripts to establish an initial foothold.

1.2 Technical Details of the Malware

• Type: Custom RAT (Remote Access Trojan)
• Variants: Likely custom variants of Dridex and PlugX.
• Capabilities:
  • Keylogging to capture credentials.
  • Network reconnaissance for SWIFT-connected devices.
  • Exfiltration of sensitive data such as network configurations and authentication details.
  • Remote command execution.

1.2.1 Malware Delivery

• The attackers likely exploited vulnerabilities in document processing software (e.g., unpatched CVEs in Microsoft Office or Adobe Reader).
• Command-and-Control (C2) servers were hosted on compromised infrastructure in Eastern Europe to reduce attribution risk.

2.0 Network Infiltration and Lateral Movement

2.1 Privilege Escalation

• Post-compromise, attackers leveraged unpatched systems and weak access controls to escalate privileges.
• Tools like Mimikatz were potentially used to dump credentials from memory.