Inventive cyber gang steals millions from East European banks

Trustwave researchers have uncovered a series of ingenious bank heists that cost several Eastern European and Russian banks up to $10 millions each, and they believe financial institutions in European, North American, Asian and Australian regions could be targeted with the same within the next year.

The attackers’ modus operandi

The attackers first recruited mules, equipped them with counterfeit documents, and sent them to open dozens of new bank accounts by physically visiting various branches of the targeted banks, in different cities in the country. Once the accounts were open, the mules received legitimate debit/ATM cards tied to those accounts, and handed them over to the members of the cybercriminal network, who sent them outside the country.

In the meantime, the cyber attackers gained entry to the banks’ networks (via phishing and social engineering), compromised multiple systems inside it, set up backdoors and RDP access to them, then proceeded to capture employees’ credentials that would allow them to connect to the banks’ payment processor’s network.

“After gaining foothold into the processor’s network, the attackers compromised the Enterprise Admin account which eventually gave them full access into the infrastructure. Their next step was to execute reconnaissance of the card processing service. Next, the attackers executed several malicious payloads on the processor’s network, key amongst them was a legitimate monitoring tool installed on the processor’s Terminal Server (that allowed users to access the card management application via a browser),” Trustwave researchers explained.

“This software called “Mipko” (advertised as “Employee Monitor”) captures full information, including screen captures, keystrokes and several other types of information for all users who logged into the system and/or accessed the card management application using their respective credentials.”

After that, they had everything they needed to finally pull off the heist.

While money mules were getting ready to use the debit cards on the bank’s ATMs, the cyber attackers used bank employees’ stolen credentials to:

• Change risk ratings on the rogue accounts from high to low
• Activate the “overdraft” credit permission on those accounts
• Manipulate or remove any anti-fraud control in place for these accounts
• Change the overdraft limit on those accounts from the default value of $0 to ranges of USD$25,000 – USD$35,000.

“The physical counterparts stationed at various locations in Europe and the Russian Federation then cashed out substantial amounts of money for each of these cards from ATM terminals. Cash withdrawals across the region began within minutes of the first overdraft property change made to the debit cards on the card management application,” the researchers found.

The mules used ATMs in solitary locations, with no or broken security cameras, with not security guard protection, and the ability to dispense substantial amounts of cash. The ATMs were always located outside of the victim bank’s actual country.

According to the researchers, this final stage of the heist took hours to complete. The entire operation, from the opening of bank accounts to collecting the money from ATMs, took six months on average.

Organized cybercrime

There can be no doubt that these heists were pulled off by a knowledgeable, organized cybercrime group.

“Throughout the distinct phases of the cyber-attack, we noted that attackers adopted the emerging tactic sometimes called ‘living off the land’ which involves very limited use of actual malware in the form of malicious fles and easily detected protocols associated with Command & Control and data exfltration traffic,” the researchers shared.

“Instead, the attackers used legitimate Windows and PowerShell commands in combination with tools such as PSExec for lateral movement. Notably they also used plink.exe (Windows SSH client) to access RDP over an already established SSH tunnel. Other software components used in this operation were split among commercial monitoring application (Mipko Employee Monitor) and the well-known suspect ‘Cobalt Strike Beacon’ mainly used to maintain backdoor connection with an endpoint geolocated in the United States of America.”

The attackers also went to great pains to clean their tracks after the pulled off the robbery. They usually used a specific system within the bank’s network to perform their activities, and at the end of the action they dropped a wiper (dropper.exe) that wiped the Master Boot Record on its hard disk and restarted the system. With the corrupted MBR, the system was effectively un-bootable.

The researchers managed to recover the MBR, and the self-deleting dropper.exe.

“This file is not yet publicly known in VirusTotal or other similar services, which is another strong indicator of targeted operations and organized crime actors. The use of this tool demonstrates that the attackers were highly motivated to wipe their tracks clean by creating additional obstacles for investigative procedures,” they concluded, and provided hashes for finding it.