A stealthy group of Russian-speaking hackers has been targeting financial organizations (banks, credit unions, lenders) in the US and Russia, stealing money and documentation that could be used for new attacks.
The group’s operations have been detailed in a report by Russian cyber attack investigators Group-IB, who investigated over 20 attacks that have been traced back to MoneyTaker (as they’ve dubbed the hacking outfit).
MoneyTaker hackers seem to have a preference for small community banks, likely because they have limited cyber defenses and are easier to breach.
Among the first documented victims was a bank in the US, from which funds were stolen by gaining access to First Data’s STAR card processing system. This was in May 2016. Since then, the criminals continued their spree in the US, but also in Russia and the UK, where they hit an unnamed software and service provider.
When hitting Russian institutions, the attacker’s main target was the AWS CBR (Automated Work Station Client of the Russian Central Bank), a Russian interbank fund transfer system similar to SWIFT.
“The average damage from each successful attack [against US institutions] was 500,000 USD baseline,” the researchers shared. Russian targets lost an average 1.2 million USD per incident, but managed to return some portion of the stolen money.
The group stole money from most banks by compromising their card processing systems, and used it to remove or increase cash withdrawal limits for the cards held by the mules. The mules would withdraw as much cash as possible from ATMs when instructed to do so. A similar modus operandi is employed by other cyber gangs.
Possible future targets
The researchers found that the criminals pilfered documentation for OceanSystems’ FedLink wire transfer processing system, which is used by 200 banks in Latin America and the US. They believe these banks might be targeted by MoneyTaker attackers next.
For the same reason, they believe that the hackers are looking for ways to compromise the SWIFT interbank communication system. (The researchers have found no evidence that the group was behind any of the recent attacks on SWIFT systems.)
The group uses a number of tools – some they’ve created themselves and some borrowed from a variety of sources.
Among those in the latter group are the Metasploit and PowerShell Empire pentesting tools, banking Trojans (Citadel, Kronos), and NirCmd, a small command-line utility that allows hackers to remotely execute various commands.
For more specific actions, e.g. for auto replacement of payment data in the AWS CBR, but also for logging keystrokes and taking screenshots, they opted for creating their own programs.
“Members of the group are skilled enough to promptly adjust the tools applied. In some cases, they made changes to the source code ‘on the fly’ – during the attack,” the investigators also noted.
The group makes a concerted effort to fly under the radar of both targets and security researchers:
- They use fileless malware, but take care to make it persist by using PowerShell and VBS scripts
- They use SSL certificates generated using names of well-known brands (Microsoft, Yahoo, Bank of America, etc.) to protect C&C communications from being detected by security teams
- They configure servers used to deliver malicious payloads in such a way that they can only be delivered to a predetermined list of IP addresses belonging to the target company. These Persistence servers are used to force a malicious file to be launched if the attacked computer has been rebooted.
- After each round of attacks, they deploy new infrastructure for network persistence
- They use a program to remove all components of the programs applied during the attack, in order to erase all possible tracks. (The program had errors, though, and this is how the investigators ultimately managed to get their hands on evidence of intrusion).
In most of the cases, it is unknown how the group managed to get a foothold in the corporate network. But in one specific case, the entry point was the home computer of the bank’s system administrator.