Moscow-based safety line of piece of job solid Group-IB published a 36-page study on Monday, providing details nearly the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at to the lowest degree May 2016.
In the past times eighteen months, the hacking grouping is believed to cause got conducted to a greater extent than than xx attacks against diverse fiscal organisations—stolen to a greater extent than than $11 Million as well as sensitive documents that could last used for side past times side attacks.
According to the safety firm, the grouping has primarily been targeting bill of fare processing systems, including the AWS CBR (Russian Interbank System) as well as SWIFT international bank messaging service (United States).
"Criminals stole documentation for OceanSystems’ FedLink bill of fare processing system, which is used past times 200 banks inward Latin America as well as the US." Group-IB says inward its report.Group-IB also warned that the MoneyTaker attacks against fiscal organizations appear to last ongoing as well as banks inward Latin America could last their side past times side target.
MoneyTaker: 1.5 Years of Silent Operations
Since its start successful assault inward May final year, MoneyTaker has targeted banks inward California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia as well as Florida, primarily targeting small-scale community banks amongst express cyber defenses.
Even afterward a large issue of attacks against therefore many targets, MoneyTaker grouping managed to transcend away along their activities concealed as well as unattributed past times using diverse publicly available penetration testing as well as hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, as well as code demonstrated every bit proof-of-concepts at a Russian hacking conference inward 2016.
"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says inward its report.
Besides using open-source tools, the grouping has also been heavily utilizing Citadel as well as Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
"Upon execution, ScanPOS grabs information nearly the electrical flow running processes as well as collects the user mention as well as privileges on the infected system. That said, it is primarily designed to dump procedure retention as well as search for payment bill of fare rail data. The Trojan checks whatever collected information using Luhn’s algorithm for validation as well as therefore sends it outbound to the C&C server."
"The grouping uses 'fileless' malware solely existing inward RAM as well as is destroyed afterward reboot. To ensure persistence inward the scheme MoneyTaker relies on PowerShell as well as VBS scripts - they are both hard to discovery past times antivirus as well as tardily to modify. In around cases, they cause got made changes to source code 'on the fly' – during the attack,"
"To escalate privileges upwards to the local administrator (or SYSTEM local user), attackers purpose exploit modules from the touchstone Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they tin dismiss purpose the Mimikatz program, which is loaded into the retention using Meterpreter, to extract unencrypted Windows credentials."Moreover, MoneyTaker also makes purpose of SSL certificates generated using names of well-known brands—including every bit Bank of America, Microsoft, Yahoo as well as Federal Reserve Bank—to shroud its malicious traffic.
The really start attack, which Group-IB attributes to MoneyTaker was conducted inward May 2016, when the grouping managed to gain access to First Data's STAR—the largest U.S. banking concern transfer messaging scheme connecting ATMs at over 5,000 organizations—and stole money.
In Jan 2017, the like assault was repeated against around other bank.
Here's how the assault works:
"The scheme is extremely simple. After taking command over the bank's network, the attackers checked if they could connect to the bill of fare processing system. Following this, they legally opened or bought cards of the banking concern whose information technology scheme they had hacked," Group-IB explains.
"Money mules – criminals who withdraw coin from ATMs – amongst previously activated cards went abroad as well as waited for the functioning to begin. After getting into the bill of fare processing system, the attackers removed or increased cash withdrawal limits for the cards held past times the mules."The coin mules therefore removed overdraft limits, which made it possible for them to overdraw cash fifty-fifty amongst debit cards. Using these cards, they "withdrew cash from ATMs, 1 past times one."
According to the report, the average coin stolen past times MoneyTaker from U.S. banks lone was nearly $500,000, as well as to a greater extent than than $3 1000000 was stolen from at to the lowest degree 3 Russian banks.
The study also detailed an assault against a Russian bank, wherein the MoneyTaker grouping used a modular malware plan to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer scheme like to SWIFT.
The modular tool had capabilities to search for payment orders as well as modify them, supervene upon master copy payment details amongst fraudulent ones, as well as carefully erase malware traces afterward completing its tasks.
While it is withal unclear how MoneyTaker managed to larn its foothold inward the corporate network, inward 1 specific case, the entry betoken of compromise of the bank's internal network was the domicile reckoner of the bank's scheme administrator.
Group-IB believes that the hackers are straightaway looking for ways to compromise the SWIFT interbank communication system, although it institute no bear witness of MoneyTaker behind whatever of the recent cyber attacks on SWIFT systems.
