'MoneyTaker' Hackers Stole Millions from Banks: Report
12.12.2017 securityweek CyberCrime
A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB.
Called “MoneyTaker” by Group-IB, the group has been focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US). The fraudsters might soon switch interest to financial institutions in Latin America, given the wide usage of STAR in the region, Group-IB researchers believe.
The group has performed successful attacks on banks in different countries, as well as law firms and financial software vendors. In total 20 companies were hit, including 16 in the US, 3 banks in Russia, and one IT-company in the UK.
The attacks caused losses of roughly $500,000 per attack on average, according to Group-IB's analysis.
The hackers managed to fly under the radar for so long by constantly changing tools and tactics and carefully eliminating traces after completing their operations.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future,” Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence, says.
The first US attack attributed to the group was conducted in the spring of 2016. The hackers stole money by gaining access to First Data’s “STAR” network operator portal. Since then, MoneyTaker hit organizations in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.
A total of 10 attacks were attributed to the group in 2016: 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a company in the UK, and 2 attacks on Russian banks. In 2017, the group hit 8 US banks and 1 law firm and 1 bank in Russia.
Group-IB has discovered that the group is using specific withdrawal schemes, where a single account is employed for each transaction. After the theft, the hackers continue to monitor impacted banks, the security researchers say.
By continuously exfiltrating internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs, etc.), the group stays updated on bank operations and can prepare future attacks.
Tools associated with MoneyTaker include the infamous Citadel and Kronos banking Trojans, and the ScanPOS Point-of-Sale (POS) malware. The hackers also used privilege escalation utilities compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016.
The group uses both borrowed and self-written tools. They developed an app with screenshot and keylogger capabilities for spying purposes. Compiled in Delphi, the app can also steal clipboard contents and can disable itself. The app includes 5 timers and an anti-emulation function in the timer code.
An attack on a Russian bank employed MoneyTaker v5.0, a modular tool capable of searching for payment orders, modifying them, replacing original payment details with fraudulent ones, and erasing traces. After the transaction, a concealment module also replaces the fraudulent payment details with the original ones in a debit advice. Thus, the payment order is accepted with the fraudulent details, but the response comes with the initial details instead.
MoneyTaker uses a distributed infrastructure that features a persistence server designed to deliver payloads only to victims with IP addresses in MoneyTaker’s whitelist.
The hackers use a pentest framework server with Metasploit installed on it. The hackers compromise a computer at the targeted organization, then leverage the pentesting framework for network reconnaissance, finding vulnerable applications, exploiting flaws, escalating systems privileges, and information collection.
Courtesy of fileless malware, MoneyTaker can easily hide tracks. When persistence is needed, the group uses PowerShell and VBS scripts, which are difficult to detect and easy to modify. The researchers also observed the group making changes to source code ‘on the fly’ during the attack.
To protect communication with the command and control (C&C) server, the group uses SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc. They also used the LogMeIn Hamachi solution for remote access.
In May 2016, MoneyTaker performed the first attack targeting card processing. Through the compromised network of a bank, the hackers gained access to First Data’s STAR network portal operators, which allowed them to make the necessary modifications and start withdrawing money.
After connecting to the card processing system, the group legally opened or bought cards of the hacked bank. Money mules with previously activated cards waited abroad for the operation to begin. The hackers then removed or increased cash withdrawal limits for the cards and removed overdraft limits, thus allowing the money mules to withdraw an excessive amount of cash from ATMs.
Group-IB says they provided the uncovered information on MoneyTaker to Europol and Interpol for further investigative activities.