Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Cyber Gang Linked to Theft of $17M From Banks, Retailers: Research

Researchers at Group-IB and Fox-IT have released a report detailing the activities of a hacking crew linked to the theft of more than one billion rubles ($17 million) from a mix of Russian banks and Western retailers.

Researchers at Group-IB and Fox-IT have released a report detailing the activities of a hacking crew linked to the theft of more than one billion rubles ($17 million) from a mix of Russian banks and Western retailers.

According to the report, the group – known as ‘Anunak’ – focuses their frauds on the corporate network, targeting internal payment gateways and internal banking systems. In this way, they steal money from the banks and payment systems themselves and not from the banks’ customers.

In addition to this activity, the gang has also compromised media groups and other organizations for the purpose of industrial espionage and possibly to obtain a trading advantage on the stock market. In cases where the group got access to government agency networks, their aim is believed to be espionage-related, the researchers report.

All totaled, the group is known to have hit more than 50 Russian banks, five payment systems and 16 retail companies. Most of the retail companies are outside of Russia, but no U.S./EU banks are known to have been attacked.

“We have seen criminals branching out for years, for example with POS malware,” said Andy Chandler, Fox-IT’s SVP and general manager, in a statement. “Anunak has capabilities which pose threats across multiple continents and industries. It shows there’s a grey area between APT and botnets. The criminal’s pragmatic approach once more starts a new chapter in the cybercrime ecosystem.”

On average, the group stayed on internal networks 42 days before money was stolen, according to the report.

“As a result of access to internal bank networks the attackers also managed to gain access to ATM management infrastructure and infect those systems with their own malicious software that further allows theft from the banks’ ATM systems on the attackers command,” according to the report. “Since 2014 the organized criminal group members began actively taking an interest in US and European-based retail organizations. While they were already familiar with POS malware and compromising POS terminals, the widespread media attention around the Target breach and other related breaches were the reason for this move. While the scale of breaches in this industry is still relatively low, with at least 3 successful card breaches and over a dozen retailers compromised this activity is quickly becoming a lucrative endeavor for this group.”

As with many campaigns, the attackers use spear phishing emails to penetrate their targets. Since August 2014, the group began to create their own botnet for blasting out emails.

“The first successful bank robbery was committed by this group in January 2013,” according to the report. “In all first cases the attackers used the program RDPdoor for remote access to the bank network and the program “MBR Eraser” to remove traces and to crack Windows computers and servers. Both programs were used by the members of the Carberp criminal group under the guidance of a person named Germes. To reduce the risk of losing access to the internal bank network the attackers, in addition to malicious programs, were also used for remote access legitimate programs such as Ammy Admin and Team Viewer.”

“Later the attackers completely abandoned from usage of RDPdoor and Team Viewer,” the report continues. “In addition to banking and payment systems, hackers got access to e-mail servers to control all internal communications. This approach allowed them to find out that the anomalous activity in the bank network was identified, what technique was used to identify this activity and what measures the bank employees took to solve the problem. Email control was successfully installed regardless of used email system, MS Exchange or Lotus. This approach allowed them to take countermeasures that created for bank and payment system employees the feeling that the problem had been solved.”

The complete report can be read here.


Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.