Report on the hacker group MoneyTaker

[Tomcat]

Group-IB researchers presented a report on the activities of the Russian-speaking hacker group MoneyTaker. Previously, this "team" was practically not written in the press, and information security specialists had not previously paid much attention to MoneyTaker. Meanwhile, according to Group-IB, in just a year and a half, this group has carried out 20 successful attacks on banks and other legal organizations in the United States, Russia and the UK.
The main targets of hackers are card processing systems, as well as the Russian system of interbank AWPs of the KBR (an automated workstation for a client of the Bank of Russia) and, presumably, the American SWIFT system. According to the Threat Intelligence Group-IB system, in the near future, become financial organizations in Latin America may also the target of MoneyTaker.
In addition, MoneyTaker attacks law firms and financial software manufacturers. In total, MoneyTaker has sixteen attacks on US companies, three attacks on Russian banks, and one more attack was recorded in the UK. In the United States, the average damage per attack is $ 500,000. In Russia, the average amount of funds extracted by a group (due to the compromise of the AWS KBR) is 72,000,000 rubles.
Experts say that the group went unnoticed for a long time, using an extensive arsenal of tools to bypass anti-virus and antispam systems, destroy any traces of an attack and significantly complicate the investigation of incidents after the fact. Researchers report that all information about the activities of the MoneyTaker group has already been sent by the company to Europol and Interpol.

“When organizing attacks, MoneyTaker uses publicly available tools, which makes the process of attributing an incident a non-trivial task,” comments Dmitry Volkov, Head of Cyber Intelligence at Group-IB. “In addition, incidents occur in different regions of the world: they robbed one of the banks twice, which indicates an insufficiently high-quality investigation of the first attack. For the first time, we disclose the connections of all 20 incidents that we discovered and do not exclude new thefts. To reduce their likelihood, we released a public report explaining how this group works and why we are convinced that all the episodes we describe are the work of MoneyTaker. "

MoneyTaker attacks: conducted and likely
The first attack this group is associated with was carried out in the spring of 2016. Then, as a result of gaining access to the STAR card processing system of the FirstData company, money was stolen from an unnamed American bank. In August of the same 2016, the group successfully hacked one of the Russian banks, which used the program to automatically transfer money through the interbank transfer system of the Central Bank of Russia AWP KBR.
In total, in 2016, Group-IB experts recorded 10 attacks carried out by MoneyTaker: 6 against banks in the United States, 1 against an American IT service provider, 1 against the Bank of England and 2 more against Russian banks. Only one of these attacks (against a Russian bank) was promptly identified and prevented.
In 2017, the geography of attacks narrowed to Russia and the United States, but their total number remained the same: attacks were carried out on American banks (8), a law firm (1), and Russian banks (1).
After a thorough investigation, analysts at Group-IB were able to find links between all twenty incidents. We are talking not only about the tools used by hackers, but also about the group's hard-to-define “handwriting”, ranging from the use of a distributed infrastructure, some of which are disposable elements, to the scheme for withdrawing money (for each transaction, the attackers use their own account). Another characteristic feature: having completed a successful attack, hackers were in no hurry to leave the "crime scene", continuing to spy on bank employees after the corporate network was hacked, by forwarding incoming letters to Yandex and Mail.ru addresses in the format first.last@yandex.com ...
Privilege escalation programs compiled on the basis of codes from the Russian conference ZeroNights 2016 were also important “findings” that allowed discovering links between crimes. In addition, the well-known banking Trojans Citadel and Kronos were used in some incidents. For example, the latter was used to install the ScanPOS POS Trojan.
Examining the infrastructure of the attackers, Group-IB experts found that MoneyTaker is always trying to steal internal documentation on working with banking systems in all countries: administrator manuals, internal instructions and regulations, change request forms, transaction logs, and so on. At the moment, Group-IB is investigating several episodes with copied documents about the work of SWIFT. Their nature and geographic location may indicate impending attacks on targets in Latin America.

Arsenal for attacks and methods of disguise
Group-IB notes that members of the MoneyTaker criminal group use both borrowed software and software that they themselves have created. For example, to monitor the work of bank operators with internal systems, hackers wrote their own application that performs the functions of a screenshot and keylogger.
This application is designed to read keystrokes, take screenshots of the desktop and intercept the contents of the clipboard. The application is compiled in the Delfi language and contains five timers: certain application functions (activates interception functions, takes screenshots, uploads data, disconnects itself, and so on) are executed when the timer is triggered again. At the same time, the hackers did not forget to apply certain security measures, for example, an anti-emulation function was introduced into the timer code to bypass antiviruses and automatic sample analysis tools.
During the attack on the AWS KBR in one of the Russian banks, the Moneytaker v5.0 system developed by the group was used. This is a modular program, each component of which performs certain actions: it searches for payment orders and modifies them, replacing the existing details with the details of the attackers, and then “covers up the tracks”. At the time of making changes to the payment order, it has not yet been signed, that is, the modified “payment order” with the details of the fraudsters is sent for signature.
In addition to destroying traces, the concealment module replaces the attackers' details in the debit confirmation back with the original ones after the actual write-off. Thus, the payment order is sent and accepted for execution with the attacker's details, but the responses to the bank come as if the details were correct all the time. This allows cybercriminals to gain additional time before theft is detected.
To carry out targeted attacks, MoneyTaker uses a distributed infrastructure that is difficult to track. A unique feature of the group is the use of a Persistence server, which only serves payload for real victims whose IP addresses have been added to the whitelist.
To control and coordinate actions, attackers use the Pentest framework Server: legitimate tools for conducting penetration tests are installed on it. So Metasploi manages the entire attack. It is Metasploit that is used to conduct network reconnaissance, search for vulnerable applications, exploit vulnerabilities, elevate systems, gather information and perform other tasks.
After successfully infecting one of the computers and securing it for the first time in the system, the attackers need to start exploring the local network in order to gain domain administrator rights and ultimately take full control of the network.
Trying to stay in the shadows as long as possible, hackers use "incorporeal" programs that work only in RAM and are destroyed after a reboot. To ensure persistence (fixation in the system), MoneyTaker relies on scripts: they are difficult to detect by anti-virus protection, but at the same time they are easier to modify. In some cases, hackers made changes to the program code on the fly - right during the attack.
In addition, to protect the interaction of malware with the command and control server, not randomly generated SSL certificates are used, but specially created certificates using trusted brands (Bank of America, Federal Reserve Bank, Microsoft, Yahoo, and others).

Attacks on card processing
The first attack on card processing, which Group-IB specialists linked to MoneyTaker hackers, was carried out in May 2016. Having gained access to the bank's network, the group compromised the workplace of the FirstData STAR network portal operators, made the necessary changes and withdrew money. In January 2017, a similar incident occurred to another bank.
The MoneyTaker attack scheme is simple. After gaining control over the banking network, hackers check whether it is possible to connect to the card processing management system. Then they legally open or buy on the black market the cards of the bank to which they have access. After that, mules (accomplices of hackers whose only role is to withdraw money from cards) with cards previously opened in these banks leave for another country, where they await a signal to start the operation. The attackers use the gained access to card processing and remove or increase the limits on cash withdrawals for mule cards, as well as remove overdraft limits, which makes it possible to go into the red even on debit cards. Mules, using these cards, withdraw cash from one ATM, so they go to another, and so on.