Metel hackers thrash banks in infinite ATM withdrawal night raids

Kaspersky researchers Alexander Gostev and Vitaly Kamluk have found a malware gang that can drain ATMs of cash by compromising banks and reversing transactions.

The duo say the gang has compromised 30 banks in Russia and likely more abroad with the malware called "Metel" or "Corkow".

Gostev (@codelancer) and Kamluk (@vkamluk) say the attacks bear the sophisticated fingerprints typically left behind by state-backed groups.

"The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems," the pair say.

"Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions.

"This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines."

The pair say the attacks begin with spear phishing attacks on bank employees using the Niteris or Cotton Castle exploit kit in a bid to get Metel installed on a target network.

Once that beachhead is established, the group dive deep into networks until they reach the point at which transactions can be altered.

Criminals would then move to third party bank ATMs and at night cash out from the victim bank an unlimited amount of times thanks to the ability to roll back transactions.

One bank lost tens of thousands of dollars in one night of ATM cash-outs.

Metel is not the only group the pair found. Another hacker outfit was detected pillaging financial institutions over weeks often sucking down US$200 into mule accounts in quick withdrawals. The mules would then day trip across Russia cashing out at ATMs.

The GCMAN group, so-called because it uses the GCC compiler like Metel, also uses phishing to gain a beachhead on corporate networks uses administrative and security tools like Putty, VNC, and Meterpreter to pivot and gain greater attack surface and privileges.

Those transactions are applied high up in the approval chain thanks to the network access gained such that it bypasses the bank's fraud warning systems.

"Our [Kasperksy's] investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of US$200 per minute," the pair say in analysis.

"A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank."

The pair also reported that the infamous Carbanak carder gang is back after a five month hiatus in which they were thought to have disbanded. It is now targeting new victims and even managed in one hack of a financial organisation to change the company ownership details.

It is unclear how that falsified information will be used. ®