Security researchers have lifted the lid on a gang of Russian-speaking cybercrooks, dubbed MoneyTaker.
The group has conducted more than 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia in the last two months alone, according to Russian incident response firm Group-IB. MoneyTaker has primarily targeted card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).
In addition to banks, MoneyTaker has attacked law firms and financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three on Russian banks and one against a Brit IT company.
By constantly changing their tools and tactics to bypass antivirus and traditional security solutions, and most importantly carefully eliminating their traces after completing operations, the group has largely gone unnoticed. "MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," said Dmitry Volkov, Group-IB co-founder and head of intelligence. "In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice."
The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data's "STAR" network operator portal. In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; six on banks in the US, one attack on a US service provider, one attack on a company in the UK (providing financial software) and two attacks on Russian banks. In 2017, the number of attacks has remained the same with eight US banks, one law firm and one bank in Russia targeted. The geography, however, has narrowed to only the US and Russia.
Group-IB identified connections in the 20 attacks not only in the tools used, but also the distributed infrastructure, and exfiltration tactics used to siphon off data from compromised organisations. "Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services," Group-IB added.
MoneyTaker's attacks on bank ATM cards have followed a pattern, the firm said.
The first attack on card processing that Group-IB specialists attribute to this group was conducted in May 2016. Having gained access to the bank network, the attackers compromised the workstation of First Data's STAR network portal operators, making the changes required and withdrawing the money. In January 2017, the attack was repeated in another bank.
The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin.
After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.
MoneyTaker uses a combination of commercial (e.g. the Metasploit pen-testing tool), cybercrime underground and its own self-written tools.
MoneyTaker's toolkit [source: Group-IB]
MoneyTaker's hacking kit included privilege escalation tools compiled from codes presented at the Russian cybersecurity conference ZeroNights back in 2016. In some incidents, the crooks called the infamous Citadel and Kronos banking Trojans into play. Kronos was used to deliver Point-of-Sale (POS) malware, dubbed ScanPOS.
In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones before erasing traces of the changes.
After infection, the group normally erases malware traces. However, when investigating an incident in Russia, Group-IB managed to discover the initial point of compromise: hackers penetrated the internal network by gaining access to the home computer of the system administrator.
Exfiltrated documents associated with attacks include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents featuring documents that describe how to make transfers through SWIFT. "Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker," Group-IB said.
Group-IB has turned over its MoneyTaker research dossier to Europol and Interpol as part of its recently signed cooperation in fighting cybercrime. ®