104 businesses in 31 countries have been targeted in a new wave of attacks, underway since at least October 2016, which infects pre-selected targets with previously unknown malware via compromised websites, or “watering holes”.
Unknown malware was first spotted by some Polish banks running running on their servers, but there is no evidence that funds have been stolen from any infected banks.
The website users are directed to is preconfigured only to infect visitors from approximately 150 different IP addresses, mainly banks and a small number of telecoms and internet firms. Symantec has so far blocked attacks by the same malware that infected the Polish banks against 14 computers in Mexico, 11 in Uruguay and two in Poland.
Analysis of the malware is still underway, but shows some code strings used by the threat group known as Lazarus.