Kaspersky Lab has discovered and analyzed interesting malware that targets banks and banking networks. This is a whole software package consisting of about 30 different modules that can remain in the banking network undetected for a long time. The Metel system is called (there is also another name - Corkow). The software itself is not new, but Kaspersky Lab has now made a number of presentations on the topic. One of the most interesting objects to study is Metel.
One of its modules is responsible for programmatically “rolling back” the last completed ATM transactions. Thus, attackers with a compromised bank card can withdraw virtually unlimited amounts of money from ATMs belonging to other banks. The withdrawal amount depends only on the amount of cash in the system. And since the module constantly returns the card balance to its original value, attackers do not exceed the limit, and the system does not block the card.
Last year, a similar scheme helped criminals in Russia withdraw millions of rubles in one night. Metel’s method of infiltrating bank networks is simple and common: bank employees are somehow incentivized to open a website that distributes a malware download module. When an infected file is opened, the Trojan penetrates the bank's system. Next, representatives of the group that developed Metel are engaged in exploring the network and compromising other PCs in the victim bank’s network. Social engineering is also often used..
Using the same malware, hackers managed to significantly increase the volatility of the ruble exchange rate in February 2015, as already reported on Geektimes.
The complexity of the software used by attackers is constantly increasing. Hackers use many techniques, tricks and types of software to achieve their goal.
Kaspersky Lab also reported on other examples of attacks targeting financial institutions:
Now all these groups and systems are active and continue to work. As previously reported, with the help of Corkow alone, the networks of 250 financial organizations and business companies in Russia were infected. No one knows how many victims there really are.
One of its modules is responsible for programmatically “rolling back” the last completed ATM transactions. Thus, attackers with a compromised bank card can withdraw virtually unlimited amounts of money from ATMs belonging to other banks. The withdrawal amount depends only on the amount of cash in the system. And since the module constantly returns the card balance to its original value, attackers do not exceed the limit, and the system does not block the card.
Last year, a similar scheme helped criminals in Russia withdraw millions of rubles in one night. Metel’s method of infiltrating bank networks is simple and common: bank employees are somehow incentivized to open a website that distributes a malware download module. When an infected file is opened, the Trojan penetrates the bank's system. Next, representatives of the group that developed Metel are engaged in exploring the network and compromising other PCs in the victim bank’s network. Social engineering is also often used..
Using the same malware, hackers managed to significantly increase the volatility of the ruble exchange rate in February 2015, as already reported on Geektimes.
The complexity of the software used by attackers is constantly increasing. Hackers use many techniques, tricks and types of software to achieve their goal.
Kaspersky Lab also reported on other examples of attacks targeting financial institutions:
- GCMAN is a group that gets its nickname from the fact that it uses the GCC compiler to create its software . As in the case of “Metel”, members of the group begin an attack on the bank with specially prepared letters to infect banking networks. After this, the usual tools like Putty, VNC, Meterpreter are used to expand access. In one famous case, group members had access to the bank's network for about 18 months, and only then did the group withdraw any funds. After the scripts started working, funds began to be pumped in the amount of about $200 per minute (a special slowdown was used so that the bank’s systems did not react to too fast withdrawals). The funds were transferred to the account of a dummy person, who was supposed to withdraw the money.
- Carbanak 2.0 system, malware used to gain criminal access to a financial organization. After this, information about the owners of the company was added to the system. The added persons were dummies - as in the previous case, these people withdrew funds from the accounts. The “owners” of the financial institution had no problems with withdrawing money.
Now all these groups and systems are active and continue to work. As previously reported, with the help of Corkow alone, the networks of 250 financial organizations and business companies in Russia were infected. No one knows how many victims there really are.
