Two hacker groups attacked Russian banks posing as the Central Bank of Russia
17.11.2018 securityaffairs CyberCrime
Group-IB has detected massive campaigns targeting Russian financial institutions posing as the Central Bank of Russia.
The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence, and the one on 23 October by MoneyTaker. Group-IB considers both cybercriminal groups among the most dangerous to Russian and international financial organisations.
November attack: Silence
In the morning of 15 November, Group-IB detected a malicious mass email campaign sent to Russian banks from a fake email address purporting to belong to the Central Bank of Russia (CBR). Of course, the CBR does not have anything to do with the phishing campaign – the hackers faked the sender’s address. SSL certificates were not used for DKIM verification. Emails with the subject line “Information from the Central Bank of the Russian Federation” asked recipients to review the regulator’s decision “On the standardisation of the format of CBR’s electronic communications” and to immediately implement the changes. The documents in question were supposedly contained in the zipped files attached, however by uncompressing these files users downloaded Silence.Downloader – the tool used by Silence hackers.
Group-IB experts have observed that the style and format of the emails were almost identical to official correspondence from the regulator. The hackers most likely had access to samples of legitimate emails. According to Group-IB’s report published in September 2018, Silence gang members presumably were or are legally employed as pentesters and reverse engineers. As such, they are very familiar with documentation in the financial sector and the structure of banking systems.
October attack: MoneyTaker
The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled “Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc”. Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.
Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.
A spear-phishing campaign set up to look like it was carried out by the Central Bank is a relatively widespread vector of attack among cyber criminals; it has been used by groups such as Buhtrap, Anunak, Cobalt, and Lurk. In March 2016, for example, cybercriminals sent phishing emails from info@fincert.net. As regards to genuine notifications from the Central Bank of Russia, in the past hackers from Lurk and Buhtrap used them to send malware to bank employees.
“Since July, to share information, FinCERT has been using an automated incident processing system that makes it possible to securely and quickly share information about incidents and unauthorized operations based on the “Feed-Antifraud” database,” comments the Central Bank’s press service. “The backup channel for sharing information is email. All messages sent via email contain FinCERT’s electronic signature.”
Information and indicators of attack (IoAs) from 23 October and 15 November attacks were quickly uploaded to Group-IB Threat Intelligence, which allowed to warn Group-IB clients among Russian banks about the potential threat. Group-IB TDS (Threat Detection System) detected both phishing campaigns and signaled about the malicious activity. Group-IB system blocked this threat in inline mode.
“MoneyTaker and Silence are two of the four most dangerous hacker groups that present a real threat to international financial organisations,” said Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert. “Hackers from MoneyTaker use all possible attack vectors when targeting banks. For example, they can send spear-phishing emails, carry out a drive-by attack, or test a bank’s network infrastructure for existing vulnerabilities. After gaining access to the network’s internal nodes, hackers are easily able to carry out attacks and withdraw money through ATMs, card processing or interbank transfers systems (in Russia, AWS CBR (the Russian Central Bank’s Automated Workstation Client). Silence, for their part, are less resourceful and use only a tried and tested attack method – phishing emails. Unlike their colleagues, however, they pay closer attention to the content and design of their phishing emails.”
About Silence
Silence is an active though very small group of Russian-speaking hackers. Group-IB first detected the group’s activity in 2016. Over the course of their ‘work’, Silence attacked bank management systems, card processing systems, and the Russian interbank transfers system (AWS CBR). The gang’s targets are mainly located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan, although phishing emails were sent to bank employees in Central and Western Europe, Africa, and Asia. A month ago, Group-IB detected a spear-phishing attack targeting the companies in the United Kingdom. The report “Silence: Moving into the darkside” was published in September 2018 and was the first to describe the group’s tactics and tools.
About MoneyTaker
MoneyTaker is a hacker group that is thought to be responsible for 16 attacks in the United States, 5 attacks on Russian banks, and 1 in the United Kingdom. Apart from money, the criminals steal documentation about interbank payment systems that is necessary for preparing future attacks. The group also carries out attacks through intermediaries by hacking banks’ partners, IT companies, and financial product providers. In December 2017, Group-IB published its first report on the group:“MoneyTaker: 1.5 years of silent operations”.