lolloj - Fotolia
A Russian-speaking cyber attack group is targeting financial institutions and legal firms in the UK, US and Russia, but many of the attacks have been unreported, according to security firm Group-IB.
The attack group, dubbed MoneyTaker, is believed to have stolen more than $11m in 20 attacks in the past 18 months, with targets also including financial software suppliers.
Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes such as using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of affected banks.
The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and the financial messaging service Swift.
The bulks of the attacks (16) have been on US organisations, followed by Russian banks (3), with one bank in the UK a confirmed target.
MoneyTaker has largely gone unnoticed, Group-IB said, because it constantly changes its tools and tactics to bypass antivirus and traditional security systems, and carefully eliminating all traces of the intrusion after the operation is completed.
The group uses publicly available tools, which makes attribution and investigation processes challenging, according to Dmitry Volkov, Group-IB co-founder and head of intelligence.
“In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice,” he said.
The tools include privilege escalation tools compiled based on codes presented at the Russian cyber security conference ZeroNights 2016, malware designed to log keystrokes and take screenshots, fileless malware that exists on in RAM, the Citadel and Kronos banking Trojans, and point-of-sale (POS) malware.
The group also uses a tool called MoneyTaker that searches for payment orders, modifies them, replaces original payment details with fraudulent ones and then erases traces. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts, which are both difficult to detect by antivirus and easy to modify.
Volkov said Group-IB had decided to publish details of the hacking group’s tools, techniques and indicators of compromise because new thefts are expected.
Since its first attack in the US in spring 2016, MoneyTaker is believed to have hit targets in 10 different states, targeting mainly smaller institutions with limited cyber defences.
According to the Group-IB report, the average haul from US banks was about $500,000, while around $3.6m is believed to have been stolen from three Russian banks.
Group-IB identified that the group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks.
Exfiltrated documents include admin guides, internal regulations and instructions, change request forms and transaction logs.
Group-IB said it is investigating a number of incidents with copied documents that describe how to make transfers through Swift. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker, the security firm said.
Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of the company’s cooperation with law enforcement in fighting cyber crime.