By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed.
In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.
In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.
Important findings that enabled Group-IB to discover the links between crimes include privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. Also, in some incidents, hackers used the infamous Citadel and Kronos banking Trojans. The latter was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.
Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime.
In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced. In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.
|Created tools||Borrowed tools|
|MoneyTaker 5.0 – malicious program for auto replacement of payment data in AWS CBR||Metasploit и PowerShell Empire|
|‘Screenshotter’ and ‘keylogger’ to conduct espionage and capture keystrokes||Privilege escalation tools, whose code were demonstrated as a Proof of Concept at ZeroNights cybersecurity conference in Moscow in 2016. More data provided later in this report|
|Moneytaker ‘Auto-replacement’ program to substitute payment details in the interbank transfer system||Citadel and Kronos Banking Trojans. The latter one was used to deliver a Point-of-Sale (POS) malware dubbed ScanPOS|
To control the full operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct all these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate systems privileges, and collect information.
The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack.
After successful infection, they carefully erase malware traces. However, when investigating an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.
In addition, to protect C&C communications from being detected by security teams, MoneyTaker employs SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access.
The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.