Cyber Crime

MoneyTaker group: Group-IB uncovered a cyber gang attacking banks in the USA and Russia

Group-IB spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker group that stole as much as $10 million from US and Russian banks.

Researchers from security firm Group-IB has spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker that has stolen as much as $10 million from U.S. and Russian banks in the last 18 months,

According to the experts, in less than two years the MoneyTaker group conducted over 20 successful attacks on financial institutions and law firms in the USA, UK, and Russia.

The average amount of money stolen from U.S. banks was about $500,000, the hackers also stole over $3 million from three Russian lenders.

The group was primarily focused on card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Experts believe that financial institutions in LATAM could have particularly exposed due to their usage of a STAR system.

The MoneyTaker group also targeted law firms and financial software vendors, Group-IB has confirmed that 20 companies were successfully hacked, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

The researchers highlighted that the group remained under the radar by constantly changing their tools and switching tactics to evade detection.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” explains Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations”.

Group-IB first noticed the MoneyTaker group in 2016 when the hackers stole funds from a US bank by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.” reported the security firm.

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and  bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

The researchers at Group-IB discovered many similarities between 20 incidents throughout 2016 and 2017, hackers used same tools and shared the attack infrastructure. The attack infrastructure is complex and it was able to deliver payloads only to victims with IP addresses in group’s whitelist.

To evade detection, MoneyTaker employs SSL certificates generated using names of well-known brands such as Bank of America, Federal Reserve Bank, Microsoft, and Yahoo.

A look at the MoneyTaker arsenal reveals that the hackers use both borrowed and their custom tools, in one case they developed a keylogger that is also able to take ‘screenshots’ of the infected system.

In the arsenal of the group, there are ‘fileless’ malware whose persistence in the infected systems was obtained by using PowerShell and VBS scripts.

Experts observed the hackers using privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. The group also used popular banking Trojans in their attacks such as Citadel and Kronos.

The Kronos malware was used to deliver the ScanPOS Point-of-Sale (POS) malware.

In an attack on a Russian bank through the AWS CBR, the MoneyTaker group used a tool called MoneyTaker v5.0 that has a modular structure that performs the following actions:

  • searches for payment orders and modifies them;
  • replaces original payment details with fraudulent ones;
  • erases traces;

Even after the attacks, the MoneyTaker group continues to spy on the victims, the group continuously exfiltrates internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs) to learn about bank operations in preparation for future attacks.

Experts from Group-IB also discovered MoneyTaker uses a Pentest framework Server and leverages Metasploit for the attacks.

“After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network.” continues the firm.

Group-IB has already shared findings of its investigation with the Europol and Interpol.

The full report is available on the Group-IB website.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – MoneyTaker group, cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

24 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.