Connect with us

Hi, what are you looking for?



Hackers Steal Money from Banks via APT-Style Attacks

Researchers at Kaspersky Lab have been monitoring the activities of several cybercrime gangs that use tactics and techniques common for APT groups to steal money from banks.

Researchers at Kaspersky Lab have been monitoring the activities of several cybercrime gangs that use tactics and techniques common for APT groups to steal money from banks.

Last year, at its 2015 Security Analyst Summit (SAS), Kaspersky published a report detailing the activities of a sophisticated cybercrime ring known as Carbanak and Anunak. Investigators estimated at the time that the attackers breached the networks of more than 100 banks across 30 countries, stealing up to $1 billion.

On Monday, at the 2016 edition of SAS taking place these days in Tenerife, Spain, Kaspersky researchers revealed that Carbanak is back and it’s not the only cybercrime gang using APT-style techniques in its operations. Last year, experts investigated incidents at 29 Russian organization hit by Carbanak and two other similar groups dubbed “Metel” and “GCMAN.”

Carbanak activity ceased for roughly five months last year, but CSIS reported in September that it had spotted a new malware variant on a customer’s systems. Kaspersky has confirmed that Carbanak is back and it appears the group is now targeting the budgeting and accounting departments of various types of organizations, not just banks. The security firm spotted attacks against a financial institution and a telecoms company.

In one attack carried out by the gang, which Kaspersky now calls “Carbanak 2.0,” cybercriminals changed the ownership details of a large company, making it look like one of their money mules was a shareholder. Experts have not been able to determine what the fraudsters were trying to accomplish by doing so.

Metel attacks

In attacks involving a piece of malware known as Metel and Corkow, attackers infected the targeted banks’ corporate networks via spear-phishing emails.

Advertisement. Scroll to continue reading.

One of the Russian banks hit by the cyber robbers discovered that millions of rubles were withdrawn by its customers in one night from the ATMs of other financial institutions. An investigation revealed that the attackers actually gained access to the bank’s money processing systems and made some changes to automatically roll back ATM transactions.

This allowed the gang’s members to withdraw money from several ATMs and the balance on their cards remained the same.

“Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations,” Kaspersky researchers said in a blog post.

The Metel group is still active and the security firm observed infections in over 30 Russian financial organizations. The company said it managed to clean up the infections before any damage was caused, but advised organizations from all over the world to scan their networks because the threat is likely widespread.

GCMAN attacks

Another cybercrime group using APT tactics and techniques is GCMAN, named so due to its use of the GCC compiler. The crime ring delivers malware to its targets by disguising it as a harmless Word document and attaching it to spear-phishing emails.

Once they gain access to the target’s network, the hackers use legitimate tools like Putty, VNC and Meterpreter to move laterally. The goal is to gain the access needed to transfer money from the bank to various e-currency services. In one case, the attackers deployed a script designed to send $200 every minute.

“A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank,” Kaspersky said.

Interestingly, the hackers compromised the target’s network 18 months before actually trying to steal money. When the crooks started stealing, the victim detected the suspicious activity and quickly canceled the fraudulent transactions.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...