A sophisticated cybercrime group has launched over 20 successful attacks on banks, law firms and software vendors in the US, Russia and the UK over the past 1.5 years, stealing $10m in the process, according to researchers.
Appropriately dubbed “MoneyTaker”, the group attacked 16 US organizations — mainly banks — three Russian banks and one UK-based financial software vendor, according to Group-IB.
This is a highly sophisticated operation, with the group changing tools and tactics on a regular basis and carefully cleaning up after themselves to avoid detection.
The name-of-the-game is two-fold: to steal cash from the targeted banks as well as documentation detailing the workings of banking processes and how to make transfers through SWIFT and Russian interbank system AWS CBR.
Groub-IB explained how the monetary theft works:
“After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules…with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards.”
These money mules are said to have withdrawn on average $500,000 per attack.
They’ve been spotted using Metasploit to infiltrate corporate networks, faked SSL certs to hide C&C traffic, privilege escalation tools whose POC code was demonstrated at a Russian security conference and Citadel/Kronos banking trojans.
However, they also developed a homegrown screenshot/keylogger app, and the “MoneyTaker 5.0” program designed to replace and erase payment data in AWS CBR.
Great care is taken to stay under the radar. For example, the group uses fileless malware which only exists in RAM and is destroyed after reboot. Persistence is achieved via PowerShell and VBS scripts, both hard to detect and easy to modify.
“After successful infection, they carefully erase malware traces. However, when investigating an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank's internal network by gaining access to the home computer of the bank's system administrator,” Group-IB explained.
“Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services in the first.last@yandex.com format.”
The security vendor warned that the group could be planning to target Latin American banks which use the popular STAR interbank network. The firm has now turned over its findings to Europol and Interpol.
Although the group appear to be Russian speaking, there’s no indication that they’re based in the country, as their attacks on Russian banks would mark them out for special attention by local law enforcers.