vsm_1606.pdf (4 MB)

Hauri analyzes custom malware used in the Bangladesh Bank SWIFT theft, in which more than $100 million held at the U.S. Federal Reserve was illicitly withdrawn. The report says the malware was built for the targeted institution: it used Bangladesh Bank SWIFT codes, monitored SWIFT FIN message files with .prc and .fal extensions, decrypted the gpca.dat SWIFT authentication file, and extracted or sent login/logout results to a C2 address. Its evtdiag.exe component generated and ran SQL scripts as sysdba, searched transaction identifiers, deleted local MESG_S_UMID transaction records, manipulated balance-related SWIFT message data, and patched liboradb.dll branch logic. The accompanying evtsys.exe and nroff_b.exe components handled file wiping, self-deletion, decryption, and parsing of financial data, showing an operation designed to alter banking records and erase traces rather than generic malware activity.