DarkVishnya steals millions using attached devices to hack bank computers

A cyber bank robbery outfit proved to the detriment of several Eastern European banks the necessity of physically securing computer assets that could give an attacker direct access to their network.

Kaspersky Labs researcher Sergey Golovanov has given a rundown on a new string of bank robberies, nicknamed DarkVishnya, that took place in 2017 and 2018 all of which used direct access to the bank’s computer system to accomplish their robbery. In the end, losses have been tallied in the tens of millions of dollars when the access attained was used to transfer funds.

In this case, the bank robbers eschewed the traditional baring into the bank with a mask and gun approach, but there was still a physical presence in either the target bank or one of its offices. 

"Judging from the fact that a physical device was, in each case, brought inside the building and connected to the bank equipment, we can suggest that it was one of the visitors to each financial institution," Golovanov said, adding Kaspersky could not determine who accessed the equipment noting tracking down the accomplices.

In each attack, an unauthorized device was found connected to one of the bank’s network. These were a netbook/inexpensive laptop, Raspberry Pi computer or a Bash Bunny, a special tool for carrying out USB attacks. These devices appeared on the network as an unknown computer, an external flash drive or some other peripheral and access to the device was through an embedded or USB-connected GPRS/3G/LTE modem.

Once this level of access was attained the attackers scanned the target seeking to gain access to public shared folders, web servers, and any other open resources, particularly those involved in making payments. A few other activities also take place at this time. The malware tries to brute force passwords to gain additional access and uses outside TCP servers to help bypass firewall restrictions.

“To overcome the firewall restrictions, they planted shellcodes with local TCP servers. If the firewall blocked access from one segment of the network to another rundown but allowed a reverse connection, the attackers used a different payload to build tunnels,” he said.

The third stage has the bad guys using a RAT to retain access to the system, also helping with this is the use of PowerShell and fileless attacks which enable them to avoid whitelisted domain policies. And if whitelisting is encountered that cannot be bypassed or PowerShell was blocked the attackers use impacket, winexesvc.exe or psexec.exe to run executable files remotely.

Once all of this was established a remote desktop protocol was injected onto a specific computer enabling the attackers to remove funds.

The banks that were hit have since taken additional precautions and the attacks have ceased, Golovanov said to SC Media.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.