Researchers at Kaspersky Lab have been monitoring the activities of several cybercrime gangs that use tactics and techniques common for APT groups to steal money from banks.
Last year, at its 2015 Security Analyst Summit (SAS), Kaspersky published a report detailing the activities of a sophisticated cybercrime ring known as Carbanak and Anunak. Investigators estimated at the time that the attackers breached the networks of more than 100 banks across 30 countries, stealing up to $1 billion.
On Monday, at the 2016 edition of SAS taking place these days in Tenerife, Spain, Kaspersky researchers revealed that Carbanak is back and it’s not the only cybercrime gang using APT-style techniques in its operations. Last year, experts investigated incidents at 29 Russian organization hit by Carbanak and two other similar groups dubbed “Metel” and “GCMAN.”
Carbanak activity ceased for roughly five months last year, but CSIS reported in September that it had spotted a new malware variant on a customer’s systems. Kaspersky has confirmed that Carbanak is back and it appears the group is now targeting the budgeting and accounting departments of various types of organizations, not just banks. The security firm spotted attacks against a financial institution and a telecoms company.
In one attack carried out by the gang, which Kaspersky now calls “Carbanak 2.0,” cybercriminals changed the ownership details of a large company, making it look like one of their money mules was a shareholder. Experts have not been able to determine what the fraudsters were trying to accomplish by doing so.
In attacks involving a piece of malware known as Metel and Corkow, attackers infected the targeted banks’ corporate networks via spear-phishing emails.
One of the Russian banks hit by the cyber robbers discovered that millions of rubles were withdrawn by its customers in one night from the ATMs of other financial institutions. An investigation revealed that the attackers actually gained access to the bank’s money processing systems and made some changes to automatically roll back ATM transactions.
This allowed the gang’s members to withdraw money from several ATMs and the balance on their cards remained the same.
“Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations,” Kaspersky researchers said in a blog post.
The Metel group is still active and the security firm observed infections in over 30 Russian financial organizations. The company said it managed to clean up the infections before any damage was caused, but advised organizations from all over the world to scan their networks because the threat is likely widespread.
Another cybercrime group using APT tactics and techniques is GCMAN, named so due to its use of the GCC compiler. The crime ring delivers malware to its targets by disguising it as a harmless Word document and attaching it to spear-phishing emails.
Once they gain access to the target’s network, the hackers use legitimate tools like Putty, VNC and Meterpreter to move laterally. The goal is to gain the access needed to transfer money from the bank to various e-currency services. In one case, the attackers deployed a script designed to send $200 every minute.
“A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank,” Kaspersky said.
Interestingly, the hackers compromised the target’s network 18 months before actually trying to steal money. When the crooks started stealing, the victim detected the suspicious activity and quickly canceled the fraudulent transactions.