Skip to main content

MoneyTaker bank hacking group revealed






In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).
"Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US." Group-IB says in its report.
Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations


Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.
"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says in its report.
money-taker

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
"Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server."
"The group uses 'fileless' malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code 'on the fly' – during the attack,"
 "To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.
Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.
hacking-banks
The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data's STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here's how the attack works:
"The scheme is extremely simple. After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked," Group-IB explains.
"Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules."
The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they "withdrew cash from ATMs, one by one."

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank's internal network was the home computer of the bank's system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.
Taken from hackernews

Comments

Popular posts from this blog

Javascript Miner: Hacker's Wet Dream

Experiencing lags on your computer? You're probably running a miner that consumes 100% of your CPU. Coin Hive (a JavaScript based miner) is becoming rapidly popular among Malware developers.


Coinhive, as a tool, is a JavaScript library that website owners can load on their site. When users access the site, the Coinhive JavaScript code library executes and mines for Monero, but using the user's CPU resources.

Very smart idea as it was meat to be a replacer for publicities. Coinhive launched on September 14, and its authors advertise it as an alternative to classic advertising. Coinhive claims that webmasters can remove ads from their sites, and load the Coinhive library and mine for Monero using a small portion of the user's CPU while the user is navigating the site. Site owners can make money and support their business, but without peppering their visitors with annoying ads.

The idea got some traction, and two days after it launched The Pirate Bay ran it as a tes…

NiceHash: security breach leads to 60 million lost - Iceman is behind?

A dark day for crypto currency miners, NiceHash has been hacked. Closely to 60$ millions (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.













The hacker's bitcoin address cleary shows the steal of  4,736.42 BTC in a window of 48 hours: https://bitinfocharts.com/bitcoin/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq




NiceHash users are furious by the time of reaction of the team. It took about 24 hours to realise that big amounts have been stolen.

I've contacted a member of Iceman and knowing this security breach for some reason he explained that NiceHash actually owned their users bitcoin wallets in order to save transactions fees and collect unclaimed BTC. This issue leads to a massive security breach which allow access to all NiceHash wallets. He claimed that by reverse engineering of their miner client, Iceman group was able to access their API. Is Iceman really behind this attack?






ICEMAN: Banks holes like in Cheese

Operation "Emmenthal" is the nickname for a grand-scale phishing campaign targeting bank clients. The goal of the campaign is to receive fraudulent payments by taking actions (e.g. money transfers) on behalf of the legitimate end user.



By phishing the victims with a mobile application which mimics the bank’s genuine application, the hackers steals the two-factor-authentication tokens used during the login (both user/passwords and SMS verification code) and then issuing money transfers by SMS Services offered by the bank, together with sending these sensitive credentials to the hackers infrastructure.


The ICEMAN group, which first came to knowing after contacting me to claim responsibility for the Banrisul Bank attack in Brazil, now claim they have committed many of the reported "Emmental" attacks as well. The hacker’s intentions and motives are shown at first in this exclusive interview.


What was your goal of the attack?

We need more bank accounts to sell. The b…