Russian-language hackers managed to artificially move the ruble-dollar exchange rate last year after infecting a regional bank with a little-known trojan and placing over $500m in trades, it has been revealed.
Moscow-based security company Group-IB told Bloomberg that the group successfully attacked the Energobank in February 2015, gaining remote access to systems which allowed them to make the huge orders at “non-market rates.”
Doing so apparently caught the attention of the Russian central bank, which suspected an attempt at deliberate currency manipulation.
A statement by the Bank of Russia following the incident claimed the volatility lasted 14 minutes and caused the exchange rate to move between 55 and 66 rubles per dollar, which “significantly differed from the prevailing market rate,” the report said.
The Moscow Exchange claimed its systems had not been hacked that day, focusing attention on the Kazan-headquartered Energobank, which has reportedly tried to claim losses of 244m rubles ($3.2m) due to the trades.
Unusually, the hackers themselves appear not to have made any money from the campaign, although they might have used it as a test run for a future attack, Group-IB told the newswire.
Corkow is less well known than its banking trojan siblings like Zeus, Carberp and Shiz, but it’s probably been around since 2011.
Eset claimed it was seeing hundreds of Corkow infections per day back in February 2014.
The malware is modular, meaning its capabilities can be changed according to the purpose of the attack. Remote access and password stealing are among those capabilities and would seem to fit in with the MO of the attack on Energobank.
It was also designed to evade detection and analysis by researchers – namely by encrypting its payload after installation, and behaving innocuously if run on a PC other than the one it first infected, Graham Cluley wrote back in 2014.
Corkow, also known as ‘Metel’, has also been spotted by Russian AV firm Kaspersky Lab as recently as last summer, enabling ATM theft, the firm explained in a blog post.
“The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems,” Kaspersky Lab’s Global Research and Analysis Team revealed.
“Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines.”