[Rule Idea] - SWIFT information harvesting

[re-fox]

Prerequisites

• [x] Put an X between the brackets on this line if you have done all of the following:
  • Checked that your rule idea isn't already filed: search

Summary

Similar to other collection rules , look for SWIFT information targeting.

Examples

DYEPACK sample 4659dadbf5b07c8c3c36ae941f71b631737631bc3fded2fe2af250ceba98959a

Features

The malware in will craft sql statements looking for SWIFT related information.

Some examples:

SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%%s%%' AND MESG_TRN_REF LIKE '%%%s%%';

DELETE FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s';

DELETE FROM SAAOWNER.TEXT_%s WHERE TEXT_S_UMID = '%s'; 

SELECT * FROM (SELECT JRNL_DISPLAY_TEXT, JRNL_DATE_TIME FROM SAAOWNER.JRNL_%s WHERE JRNL_DISPLAY_TEXT LIKE '%%LT BBHOBDDHA: Log%%' ORDER BY JRNL_DATE_TIME DESC) A WHERE ROWNUM = 1;

SELECT MESG_FIN_CCY_AMOUNT FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s';

SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%%s%%' AND MESG_FIN_CCY_AMOUNT LIKE '%%%s%%';

UPDATE SAAOWNER.MESG_%s SET MESG_FIN_CCY_AMOUNT = '%s' WHERE MESG_S_UMID = '%s';

UPDATE SAAOWNER.TEXT_%s SET TEXT_DATA_BLOCK = UTL_RAW.CAST_TO_VARCHAR2('%s') WHERE TEXT_S_UMID = '%s'; 

Additional context

Rule details

Namespace

/collection/swift

References

• https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html

Other rule meta information

[williballenthin]

this sample is near and dear to me.

great idea for the rule!

[johnk3r]

Hello, I'll support it!