Pierluigi Paganini December 11, 2017

Group-IB spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker group that stole as much as $10 million from US and Russian banks.

Researchers from security firm Group-IB has spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker that has stolen as much as $10 million from U.S. and Russian banks in the last 18 months,

According to the experts, in less than two years the MoneyTaker group conducted over 20 successful attacks on financial institutions and law firms in the USA, UK, and Russia.

The average amount of money stolen from U.S. banks was about $500,000, the hackers also stole over $3 million from three Russian lenders.

The group was primarily focused on card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Experts believe that financial institutions in LATAM could have particularly exposed due to their usage of a STAR system.

The MoneyTaker group also targeted law firms and financial software vendors, Group-IB has confirmed that 20 companies were successfully hacked, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

The researchers highlighted that the group remained under the radar by constantly changing their tools and switching tactics to evade detection.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” explains Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations”.

Group-IB first noticed the MoneyTaker group in 2016 when the hackers stole funds from a US bank by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.” reported the security firm.

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and  bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

The researchers at Group-IB discovered many similarities between 20 incidents throughout 2016 and 2017, hackers used same tools and shared the attack infrastructure. The attack infrastructure is complex and it was able to deliver payloads only to victims with IP addresses in group’s whitelist.

To evade detection, MoneyTaker employs SSL certificates generated using names of well-known brands such as Bank of America, Federal Reserve Bank, Microsoft, and Yahoo.

A look at the MoneyTaker arsenal reveals that the hackers use both borrowed and their custom tools, in one case they developed a keylogger that is also able to take ‘screenshots’ of the infected system.

In the arsenal of the group, there are ‘fileless’ malware whose persistence in the infected systems was obtained by using PowerShell and VBS scripts.

Experts observed the hackers using privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. The group also used popular banking Trojans in their attacks such as Citadel and Kronos.

The Kronos malware was used to deliver the ScanPOS Point-of-Sale (POS) malware.

In an attack on a Russian bank through the AWS CBR, the MoneyTaker group used a tool called MoneyTaker v5.0 that has a modular structure that performs the following actions:

• searches for payment orders and modifies them;
• replaces original payment details with fraudulent ones;
• erases traces;

Even after the attacks, the MoneyTaker group continues to spy on the victims, the group continuously exfiltrates internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs) to learn about bank operations in preparation for future attacks.

Experts from Group-IB also discovered MoneyTaker uses a Pentest framework Server and leverages Metasploit for the attacks.

“After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network.” continues the firm.

Group-IB has already shared findings of its investigation with the Europol and Interpol.

The full report is available on the Group-IB website.

Pierluigi Paganini

(Security Affairs – MoneyTaker group, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]