Moscow-based safety theatre Group-IB published a 36-page study on Monday, providing details close the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at to the lowest degree May 2016.
In the yesteryear xviii months, the hacking grouping is believed to conduct keep conducted to a greater extent than than twenty attacks against diverse fiscal organisations—stolen to a greater extent than than $11 Million in addition to sensitive documents that could endure used for side yesteryear side attacks.
According to the safety firm, the grouping has primarily been targeting carte du jour processing systems, including the AWS CBR (Russian Interbank System) in addition to SWIFT international bank messaging service (United States).
"Criminals stole documentation for OceanSystems’ FedLink carte du jour processing system, which is used yesteryear 200 banks inwards Latin America in addition to the US." Group-IB says inwards its report.Group-IB also warned that the MoneyTaker attacks against fiscal organizations appear to endure ongoing in addition to banks inwards Latin America could endure their side yesteryear side target.
MoneyTaker: 1.5 Years of Silent Operations
Since its commencement successful fix on inwards May terminal year, MoneyTaker has targeted banks inwards California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia in addition to Florida, primarily targeting minor community banks alongside express cyber defenses.
Even later a large issue of attacks against thus many targets, MoneyTaker grouping managed to dice along their activities concealed in addition to unattributed yesteryear using diverse publicly available penetration testing in addition to hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, in addition to code demonstrated every bit proof-of-concepts at a Russian hacking conference inwards 2016.
"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says inwards its report.
Besides using open-source tools, the grouping has also been heavily utilizing Citadel in addition to Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
"Upon execution, ScanPOS grabs information close the electrical flow running processes in addition to collects the user advert in addition to privileges on the infected system. That said, it is primarily designed to dump procedure retentiveness in addition to search for payment carte du jour runway data. The Trojan checks whatsoever collected information using Luhn’s algorithm for validation in addition to and thus sends it outbound to the C&C server."
"The grouping uses 'fileless' malware solely existing inwards RAM in addition to is destroyed later reboot. To ensure persistence inwards the scheme MoneyTaker relies on PowerShell in addition to VBS scripts - they are both hard to notice yesteryear antivirus in addition to slow to modify. In around cases, they conduct keep made changes to source code 'on the fly' – during the attack,"
"To escalate privileges upward to the local administrator (or SYSTEM local user), attackers piece of occupation exploit modules from the criterion Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they tin piece of occupation the Mimikatz program, which is loaded into the retentiveness using Meterpreter, to extract unencrypted Windows credentials."Moreover, MoneyTaker also makes piece of occupation of SSL certificates generated using names of well-known brands—including every bit Bank of America, Microsoft, Yahoo in addition to Federal Reserve Bank—to enshroud its malicious traffic.
The really commencement attack, which Group-IB attributes to MoneyTaker was conducted inwards May 2016, when the grouping managed to gain access to First Data's STAR—the largest U.S. banking concern transfer messaging scheme connecting ATMs at over 5,000 organizations—and stole money.
In Jan 2017, the like fix on was repeated against around other bank.
Here's how the fix on works:
"The scheme is extremely simple. After taking command over the bank's network, the attackers checked if they could connect to the carte du jour processing system. Following this, they legally opened or bought cards of the banking concern whose information technology scheme they had hacked," Group-IB explains.
"Money mules – criminals who withdraw coin from ATMs – alongside previously activated cards went abroad in addition to waited for the functioning to begin. After getting into the carte du jour processing system, the attackers removed or increased cash withdrawal limits for the cards held yesteryear the mules."The coin mules in addition to thus removed overdraft limits, which made it possible for them to overdraw cash fifty-fifty alongside debit cards. Using these cards, they "withdrew cash from ATMs, ane yesteryear one."
According to the report, the average coin stolen yesteryear MoneyTaker from U.S. banks lonely was close $500,000, in addition to to a greater extent than than $3 1000000 was stolen from at to the lowest degree iii Russian banks.
The study also detailed an fix on against a Russian bank, wherein the MoneyTaker grouping used a modular malware plan to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer scheme like to SWIFT.
The modular tool had capabilities to search for payment orders in addition to modify them, supersede master payment details alongside fraudulent ones, in addition to carefully erase malware traces later completing its tasks.
While it is withal unclear how MoneyTaker managed to larn its foothold inwards the corporate network, inwards ane specific case, the entry indicate of compromise of the bank's internal network was the habitation estimator of the bank's scheme administrator.
Group-IB believes that the hackers are instantly looking for ways to compromise the SWIFT interbank communication system, although it establish no prove of MoneyTaker behind whatsoever of the recent cyber attacks on SWIFT systems.
Share This :
I am a Single full time dad on disability getting no help from their moms. It a struggle every day. My boys are 15 and 9 been doing this by myself for 8 years now it’s completely drained all my savings everything . These guys are the present day ROBIN HOOD. Im back on my feet again and my kids can have a better life all thanks to the blank card i acquired from skylink technology. Now i can withdraw up too 3000 per day Contact them as well on Mail: skylinktechnes@yahoo.com or whatsspp/telegram: +1(213)785-1553
ReplyDelete