Ratopak Trojan – Russian banks under attack

Financially-motivated actors have targeted employees of at least six Russian banks into installing the Ratopak Trojan, experts have found evidence of an extended hacking campaign.

According to the Symantec security firm, a cyber criminal gang financially -motivated has targeted employees of Russian banks.

The threat actors have been using a Trojan called Ratopak to gain control over the victim’s machine and exfiltrate data. The experts spotted several attacks since October, the attack chain starts with fake Central Bank employment emails sent to the staff of Russian financial institutions. In the attempt to trick victims, the threat actors behind the malicious campaign have registered that domain cbr.com.ru that is similar to the official domain used by Russia’s Central Bank cbr.ru.

The domain is referenced by the content of the fake emails and it is used by the cyber criminals as a repository for the Ratopak Trojan.

The Ratopak Trojan implements a number of backdoor features, including logging keystrokes and stealing clipboard data.

“Trojan.Ratopak was likely used because it can allow the attacker to gain control of the compromised computer and steal information. The threat can open a back door on the computer and allow the attacker to perform a variety of actions, including logging keystrokes, retrieving clipboard data, and viewing and controlling the screen. It can also be used to download other malicious files and tools. The narrow focus of the attacks and the use of Ratopak could be a hint to what the attackers were after.” states a blog post published by Symantec.

The malware is signed with stolen certificates and the sample analyzed by Symantec were specifically developed to target Russian or Ukrainian users.

“The threat also checks the language of the compromised computer. If it isn’t Russian or Ukrainian, then the malware stops its attack. Ratopak may also terminate and delete itself if it recognizes that it is being run on a virtual machine or a researcher’s computer.” continues the post.

Researchers said many of the infected computers had been running accounting and document management software designed to allow users to securely exchange documents with government organizations for tax purposes.

The malware experts at Symantec noticed that the presence of a software developed by the  Russian company SBI running on many of the infected machines. The application developed by SBI is an accounting application and is referred to as “buh.” (“accountant” in Russian language). The threat actors inserted the word buh in the URLs in an effort to avoid deceive victims that normally work with the software developed by the SBI.

“A common link between several of the victims was a piece of software created by SBIS, a Russian company that develops, among other things, accounting and payroll applications. In URLs used by SBIS, their accounting software is referred to as “buh” (buh.sbis.ru/buh/ for example. “Buh” is the Russian term for accountant).” states Symantec “The attackers behind these attacks used “buh” in their URLs, knowing their victims would be running SBIS accounting software. By using this string in their URLs, the attackers can disguise their attack by making their activities look like normal traffic. This approach has led other researchers to label Trojan.Ratopak as “Buhtrap””

In April 2015, experts at ESET spotted a malware campaign dubbed Operation Buhtrap, a conjunction of the Russian word for accountant “Buhgalter” and the English word “trap”.  So far Buhtrap has not been seen anywhere else in the wild, so is not likely to be widespread.  Approx. 88 per cent of targets were located in Russia and ten per cent in Ukraine.   Analysts linked the campaign to the Anunak/Carbanak campaign, which also targeted Russian and Ukrainian Banks.

“Although we believe it to be a different campaign, it shares some similarities with Anunak/Carbanak in terms of techniques, tactics and procedures it use.”

The modus operandi of these particular cybercriminals was associated with targeted attacks rather than cyber fraud, which make this move to financial crime unusual.  Their method of delivery is by email using an attached invoice document or s hoax contract.

Experts at Symantec confirmed their suspects about the motivation of the attackers that appear to be one of the Russian criminal rings specialized in attacks against banks and financial institutions.

“While there is no conclusive evidence of the attacker’s goal, the attacks appear to be financially motivated. The specificity of the targets−employees at certain banks using accounting software to send the government tax information−certainly points towards this goal,” states Symantec. 

Recently other groups targeted Russian banks, the most popular are the Carbanak and Anunak, reportedly stole $1 billion from 100 banks worldwide. A few weeks ago Kaspersky uncovered the operation of Carbanak 2.0.

The experts at Kaspersky Lab discovered that Carbanak cybergang is back and other groups are adopting similar APT-style techniques to steal money, including the Metel and GCMAN hacking crews.

Pierluigi Paganini

Security Affairs –  (Ratopak Trojan, malware)