Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Hackers Steal Money from Banks via APT-Style Attacks

Researchers at Kaspersky Lab have been monitoring the activities of several cybercrime gangs that use tactics and techniques common for APT groups to steal money from banks.

Researchers at Kaspersky Lab have been monitoring the activities of several cybercrime gangs that use tactics and techniques common for APT groups to steal money from banks.

Last year, at its 2015 Security Analyst Summit (SAS), Kaspersky published a report detailing the activities of a sophisticated cybercrime ring known as Carbanak and Anunak. Investigators estimated at the time that the attackers breached the networks of more than 100 banks across 30 countries, stealing up to $1 billion.

On Monday, at the 2016 edition of SAS taking place these days in Tenerife, Spain, Kaspersky researchers revealed that Carbanak is back and it’s not the only cybercrime gang using APT-style techniques in its operations. Last year, experts investigated incidents at 29 Russian organization hit by Carbanak and two other similar groups dubbed “Metel” and “GCMAN.”

Carbanak activity ceased for roughly five months last year, but CSIS reported in September that it had spotted a new malware variant on a customer’s systems. Kaspersky has confirmed that Carbanak is back and it appears the group is now targeting the budgeting and accounting departments of various types of organizations, not just banks. The security firm spotted attacks against a financial institution and a telecoms company.

In one attack carried out by the gang, which Kaspersky now calls “Carbanak 2.0,” cybercriminals changed the ownership details of a large company, making it look like one of their money mules was a shareholder. Experts have not been able to determine what the fraudsters were trying to accomplish by doing so.

Metel attacks

In attacks involving a piece of malware known as Metel and Corkow, attackers infected the targeted banks’ corporate networks via spear-phishing emails.

One of the Russian banks hit by the cyber robbers discovered that millions of rubles were withdrawn by its customers in one night from the ATMs of other financial institutions. An investigation revealed that the attackers actually gained access to the bank’s money processing systems and made some changes to automatically roll back ATM transactions.

This allowed the gang’s members to withdraw money from several ATMs and the balance on their cards remained the same.

“Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations,” Kaspersky researchers said in a blog post.

The Metel group is still active and the security firm observed infections in over 30 Russian financial organizations. The company said it managed to clean up the infections before any damage was caused, but advised organizations from all over the world to scan their networks because the threat is likely widespread.

GCMAN attacks

Another cybercrime group using APT tactics and techniques is GCMAN, named so due to its use of the GCC compiler. The crime ring delivers malware to its targets by disguising it as a harmless Word document and attaching it to spear-phishing emails.

Once they gain access to the target’s network, the hackers use legitimate tools like Putty, VNC and Meterpreter to move laterally. The goal is to gain the access needed to transfer money from the bank to various e-currency services. In one case, the attackers deployed a script designed to send $200 every minute.

“A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank,” Kaspersky said.

Interestingly, the hackers compromised the target’s network 18 months before actually trying to steal money. When the crooks started stealing, the victim detected the suspicious activity and quickly canceled the fraudulent transactions.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Cybercrime

Cybercriminals earned significantly less from ransomware attacks in 2022 compared to 2021 as victims are increasingly refusing to pay ransom demands.