Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 929
- Points
- 113
Introduction
In late 2014, Kaspersky Lab researchers warned that cybercriminals targeting financial transactions would use sophisticated tactics and technologies typical of APT attacks to rob banks.Just a few months later in February 2015, we announced the discovery of Carbanak, a criminal group that used malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries.
Since then, we have seen an increase in covert APT attacks that combine the use of intelligence, social engineering, specialized malware, distribution tools, and long-term planning to steal money from financial institutions (especially ATMs and money transfer systems).
At the Security Analyst Summit (SAS 2016), Kaspersky Lab announced the discovery of two new groups associated with APT bank robberies: Metel and GCMAN, and the resumption of the activities of the Carbanak group with new goals.
In 2015, Kaspersky Lab employees investigated incidents in 29 organizations located in Russia that were attacked by these three groups.
Due to ongoing law enforcement investigations and due to non-disclosure agreements with the affected organizations, Kaspersky Lab is unable to provide detailed information about the attacks. Kaspersky Lab publishes key indicators of compromise (IOCs) and other data to help organizations find traces of these attack groups in their corporate networks (see below).
Metel - balance rollback using ATMs
In the summer of 2015, a Russian bank discovered that millions of rubles had gone missing overnight as a result of a series of strange financial transactions. Bank customers made withdrawals through ATMs owned by other banks and were able to withdraw huge amounts of money without their account balance changing. The affected bank had no idea about anything until it began to compensate for the withdrawal of money through ATMs of other banks.During our investigation, we found out what it was: Metel, a modular malware also known as Corkow.
The malware, used exclusively by the Metel group, infected the bank's corporate network through emails and spread throughout the bank's IT system, gaining access to computers.
Having gained access to the system that manages monetary transactions, criminals set up automatic rollbacks of transactions made through ATMs. This means that money could be stolen from ATMs using debit cards while the card's account balance remained the same, allowing multiple transactions to be made at different ATMs.
Encrypted configuration file of malicious Metel plugins
During the investigation, we found out that the attackers were traveling around Russian cities, withdrawing money through ATMs belonging to different banks. Due to the automatic rollback, the money was instantly returned to the account immediately after withdrawing cash from the ATM. The group worked only at night, emptying ATMs in different places.
In total, we found Metel in more than 30 financial institutions, but Kaspersky Lab employees were able to clean up the networks before serious damage was caused. It is likely that this threat is much more widespread, and we strongly advise financial institutions around the world to scan their networks for signs of Metel malware.
The Metel crime group is still active. We currently have no information about casualties outside of Russia.
GCMAN - system intrusion testing tools are to blame for everything
The second group, which we call GCMAN because the malware is based on code compiled using the GCC compiler, has appeared recently and uses techniques similar to Metel to infect banking organizations and transfer money to cryptocurrency services.The initial infection is carried out through spear phishing of financial institutions via emails containing a malicious RAR archive. When you open a RAR archive, an executable file is launched instead of a Microsoft Word document, which causes infection.
Once in the network, the GCMAN group uses legitimate technologies and penetration testing tools such as Putty, VNC and Meterpreter to spread the infection throughout the network. Our investigation revealed an attack in which a group injected a cron script into a bank server, sending financial transactions in the amount of $200 per minute. The scheduler called a script every minute that pushed new transactions directly into the payment processing system. This allowed the group to transfer money to different cryptocurrency services without notifying other bank systems.
Decompiled code of the GCMAN malware group that connects to the control server
By luck, financial organizations detected suspicious network activity in time, neutralized the threat and canceled transactions.
An interesting fact is that the actual attack occurred about 18 months earlier than it was discovered. The group used MS SQL injections into commercial software used on one of the bank's public web services, and after a year and a half they returned to steal money. During this time period, 70 internal hosts were infected, 56 accounts were compromised using 139 attack sources (TOR and compromised home routers).
We discovered that approximately 2 months before the incident, someone tried to guess the password for the bank server administrator account. They acted very persistently, but in order to remain undetected, only three times a week, and then only on Saturdays.
Kaspersky Lab's research team responded to three financial institutions in Russia that were infected with GCMAN malware. This threat is likely much more widespread and we strongly advise banks to scan networks for signs of this cybercriminal ring.
Carbanak 2.0: new targets beyond banks
After we uncovered the Carbanak group exactly a year ago, it disappeared for about 5 months and we thought the group had disbanded. However, last September our friends at CSIS published a blog post detailing a new variant of the Carbanak attack that one of their customers was exposed to.In December 2015, we confirmed that the group was still active. Kaspersky Lab detected signs of Carbanak in two intrusion cases - in a telecommunications company and in a financial institution.
Executable files found in the intrusion monitoring system during the investigation of the Carbanak incident
An interesting feature of the Carbanak 2.0 group is that they have a different profile of victims. The group is no longer interested in banks; now their targets are the budget and accounting departments of any organization they are interested in, and they use the same tools and techniques characteristic of APT attacks.
In one notable case, a Carbanak 2.0 attacker used access to a financial institution that stored shareholder information to change the ownership of a large company. Information about the owner of the company has been changed to “drop” information. It is not clear how they wanted to use this information in the future.
Kaspersky Lab products successfully detect and block malware used by the Carbanak 2.0, Metel and GCMAN groups under the following names:
- Trojan-Dropper.Win32.Metel
- Backdoor.Win32.Metel
- Trojan-Banker.Win32.Metel
- Backdoor.Win32.GCMan
- Backdoor.Win64.GCMan
- Trojan-Downloader.Win32.GCMan
- Trojan-Downloader.Win32.Carbanak
- Backdoor.Win32.Carbanak
All information is available to customers of the analytics reporting service, and they will also receive indicators of compromise and contextual information as soon as they become available.
IOC files are available here:
Metel
GCMAN
Carbanak 2.0
