This article is more than 1 year old

Russian ATM-popping gang used nation state cybercrook tactics

Be very slow with the brute force, Igor. Three times a week, only on Saturdays

Cybercrooks are increasingly adopting tactics from more advanced hackers in order to steal millions of dollars from banks and other financial institutions.

The first of the two cybercrime groups, dubbed Metel, are mostly active in Russia. The group’s typical modus operandi involves gaining control over machines inside a bank that have access to money transactions – for example, the bank’s call centre or its support computers.

Once the group has achieved this aim it can automate the rollback of ATM transactions.

The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions made. In the examples seen to date, the crooks steal money by driving around cities in Russia at night and emptying ATMs belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank.

As the attackers empty ATM after ATM – Metel was found inside 30 organisations – the balances on the stolen accounts used to pull off the scam remained unaltered, allowing further withdrawals.

“Our investigations revealed that the attackers drove around in cars in several cities in Russia, stealing money from ATMs belonging to different banks,” Kaspersky Lab said in a report. “With the automated rollback the money was instantly returned to the account, when the cash has already been dispensed from the ATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.”

“The bank’s clients were withdrawing from ATMs belonging to other banks and were able to cash out huge sums of money while the balances remained untouched. It was a surprise for the victim bank to hear from other banks when they tried to recoup the money withdrawn from their ATMs.”

The ongoing scam has become the focus of a law enforcement investigation.

Metel is the Russian word for blizzard. Hackers in the gang burrow their way into a financial organisations by either using cleverly crafted spear phishing emails laced with malware, or by luring victims into visiting compromised sites hosting the Niteris exploit kit. Either way malicious code is used to drop a backdoor onto compromised systems, making it relatively easy for hackers to either install secondary malware or pivot towards attacking more juicy targets on infiltrated networks. The hackers typically go after domain controllers before gaining access to support computers, their primary target.

Super stealthy

A second group – dubbed GCMAN, because the malware is based on code compiled on the GCC compiler – has also taken to using advanced hacking techniques more commonly associated with nation state-grade hackers.

In some cases the group uses legitimate pen-testing tools, including VNC, Putty and Meterpreter, to pivot inside the compromised networks. The group gained a toehold on compromised networks via spear-phishing and a malicious RAR archive disguised as a Word document.

Their ultimate target is typically access to computers used to transfer money to e-currency services. The group has learned over time to move slowly and take great pains in avoiding triggering alerts on detection systems inside the bank.

Researchers at Kaspersky said that in one attack, the criminals had access to the network for 18 months before stealing any money. Once they did, they were transferring $200 payments per minute using the CRON scheduler to execute malicious scripts and move money to a money-mule account. Those transaction orders were sent to an upstream payment gateway, Kaspersky Lab said, and were never logged by the victimised bank’s internal systems. This is perhaps because $200 is the upper limit for anonymous payments in Russia.

“The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers),” Kaspersky Lab explained. “We discovered that about two months before the incident, someone was trying different passwords for an admin account on a banking server. They were really persistent. They were doing it only on Saturdays, only three tries per week, all in an effort to stay under the radar.”

Carbanak is back

Details of two new criminal operations that have borrowed heavily from targeted nation-state attacks were unveiled by security researchers at Kaspersky Lab on Monday during its Security Analyst Summit in Tenerife, Spain.

The Kaspersky Lab researchers also published fresh research into the Carbanak gang, a group that stole $1bn from more than 100 financial companies last year, according to some estimates. The Kaspersky Lab team reckoned the Carbanak crew had brought down the shutters on their operation after they were outed a year ago.

But last September, researchers at CSIS in Denmark spotted new Carbanak samples. Four months later, Kaspersky Lab found further Carbanak samples inside a telecommunications company and a financial organisation, providing secondary confirmation that the gang was back in business.

In the months of its hiatus the group has moved beyond banks and is now targeting budgeting and accounting departments of a much wider range of organisations.

“Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks,” said Sergey Golovanov, principal security researcher at the Global Research and Analysis Team, Kaspersky Lab. “The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly.”

Kaspersky Lab has released Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks.

More details on these various scams can be found in a blog post by Kaspersky Lab’s ThreatPost news service here. ®

More about


Send us news

Other stories you might like