Russian hackers used malware to manipulate the Dollar/Ruble exchange rate

Russian-language hackers have managed to break into Russian regional bank Energobank, infect its systems, and gain unsanctioned access to its trading system terminals, which allowed them to manipulate the Dollar/Ruble exchange rate.

“The criminals made purchases and sales of US dollars in the Dollar/Ruble exchange program on behalf of a bank using malware. The attack itself lasted only 14 minutes, however, it managed to cause a high volatility in the exchange rate of between 55/62 (Buy/Sell) rubles per 1 dollar instead of the 60-62 stable range,” Russian security company Group-IB shared in a recently published whitepaper.

“To conduct the attack criminals used the Corkow malware, also known as Metel, containing specific modules designed to conduct thefts from trading systems (…) Corkow provided remote access to the ITS-Broker system terminal by ‘Platforma soft’ Ltd., which enabled the fraud to be committed.”

The attack happened in February 2015, but the preparation for it lasted much longer (click on the screenshot to enlarge it):

The attack happened in February 2015

During this period, the Corkow Trojan was functional and constantly updated itself to avoid detection by antivirus software installed at the bank.”

The incident lead to an investigation by the Russian central bank, and Energobank also called in Group-IB’s researchers to investigate.

“As a result of the attack, the compromised bank which terminal was used for intrusion, suffered a huge financial and reputational damage, since many players on the market didn’t trust the hacking theory of the incident and tended to believe that a simple mistake had occurred,” noted Group-IB’s researchers, who were called in by Energobank to investigate the incident.

“Experts say that many companies that were trading at the time of the attack and successfully made profit while the attackers are believed to have received no money from the operation. This evidence leads us to believe that these hacker actions could be a test of the ability to influence the market and capitalize on future attacks.”

It seems likely that the attack was perpetrated by the Metel cyber-criminal group, whose exploits half a year later have resulted in a successful attack involving the compromise of an unnamed bank and automation of the rollback capability of ATM transactions, and the criminals making off with hundreds of millions of rubles. To execute the attack, they used the aforementioned Corkow Trojan and, once again, the Niteris exploit pack to perpetrate the initial drive-by download of the malware.

“Various hacker groups demonstrate increased interest towards trading and brokerage systems and their clients, which is evidenced by the specific modifications in malware they use,” the researchers commented. “Hackers target primarily companies in Russia and CIS countries, though it is noticed that the amount of attacks targeting the USA has increased 5 times since 2011.”

For an in-depth overview of this group’s actions and technical details about the malware they used, check out the whitepaper.