Security researchers have uncovered a previously undetected group of Russian-speaking hackers of which has silently been targeting Banks, financial institutions, in addition to also legal firms, primarily from the United States, UK, in addition to also Russia.
Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.
from the past 18 months, the hacking group can be believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million in addition to also sensitive documents of which could be used for next attacks.
According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) in addition to also SWIFT international bank messaging service (United States).
“Criminals stole documentation for OceanSystems’ FedLink card processing system, which can be used by 200 banks in Latin America in addition to also the US.” Group-IB says in its report.
Group-IB also warned of which the MoneyTaker attacks against financial organizations appear to be ongoing in addition to also banks in Latin America could be their next target.
MoneyTaker: 1.5 Years of Silent Operations
Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia in addition to also Florida, primarily targeting little community banks with limited cyber defenses.
Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed in addition to also unattributed by using various publicly available penetration testing in addition to also hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, in addition to also code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.
“To propagate across the network, hackers used a legitimate tool psexec, which can be typical for network administrators.” Group-IB says in its report.
Besides using open-source tools, the group has also been heavily utilizing Citadel in addition to also Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
“Upon execution, ScanPOS grabs information about the current running processes in addition to also collects the user name in addition to also privileges on the infected system. of which said, the item can be primarily designed to dump process memory in addition to also search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation in addition to also then sends the item outbound to the C&C server.”
“The group uses ‘fileless’ malware only existing in RAM in addition to also can be destroyed after reboot. To ensure persistence from the system MoneyTaker relies on PowerShell in addition to also VBS scripts – they are both difficult to detect by antivirus in addition to also easy to modify. In some cases, they have made adjustments to source code ‘on the fly’ – during the attack,“
“To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules via the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which can be loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.”
Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo in addition to also Federal Reserve Bank—to hide its malicious traffic.
The hacking group also configure their servers in a way of which malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, the item relies on PowerShell in addition to also VBS scripts to ensure persistence from the targeted system.
The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data’s STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—in addition to also stole money.
In January 2017, the similar attack was repeated against another bank.
Here’s how the attack works:
“The scheme can be extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following This particular, they legally opened or bought cards of the bank whose the item system they had hacked,” Group-IB explains.
“Money mules – criminals who withdraw money via ATMs – with previously activated cards went abroad in addition to also waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules.”
The money mules then removed overdraft limits, which made the item possible for them to overdraw cash even with debit cards. Using these cards, they “withdrew cash via ATMs, one by one.”
According to the report, the average money stolen by MoneyTaker via United States banks alone was about $500,000, in addition to also more than $3 million was stolen via at least three Russian banks.
The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.
The modular tool had capabilities to search for payment orders in addition to also modify them, replace original payment details with fraudulent ones, in addition to also carefully erase malware traces after completing its tasks.
While the item can be still unclear how MoneyTaker managed to get its foothold from the corporate network, in one specific case, the entry point of compromise of the bank’s internal network was the home computer of the bank’s system administrator.
Group-IB believes of which the hackers are at This particular point looking for ways to compromise the SWIFT interbank communication system, although the item found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.