Russian cybercriminals reportedly gained access to a bank's network operator portal for First Data's STAR Network, then made changes allowing money mules to withdraw large amounts of cash from ATMs.
Russian cybercriminals reportedly gained access to a bank's network operator portal for First Data's STAR Network, then made changes allowing money mules to withdraw large amounts of cash from ATMs.

A Russian cybercriminal group has stolen at least $10 million from financial institutions and other organizations in the U.S., U.K., and Russia, typically by targeting card processing systems and interbank transfer systems, according to a new report and corresponding blog post from Group-IB. In some cases, the actors even used money mules to withdraw stolen funds from physical ATM locations.

The previously undisclosed group, named MoneyTaker (after one of its malware tools), has launched more than 20 successful attacks between May 2016 and November 2017, claiming mostly small community banks among its victims, but also a credit union, financial service/software providers, and a law firm. In total, there were 16 attacks on U.S. organizations, three on Russian banks and one against a U.K. software company, Group-IB reported.

The bad actors stole from its first U.S. bank in May 2016 by gaining access to its network operator portal for First Data's STAR debit payment network – an attack that was repeated against another bank in early 2017. By gaining access to STAR, the attackers were able to remove or increase cash withdrawal limits and remove overdraft limits on debit cards they had previously opened or bought. Using these same cards, money mules subsequently withdraw large amounts of money from multiple ATMs.

In response to the report, First Data issued the following statement: “First Data's STAR Network was not compromised in an incident referenced by a recent report from Group-IB regarding a third party that accessed bank computer systems. In early 2016, STAR became aware that a third-party had been targeting small financial institutions to gain access to the institutions' computer systems. By accessing the bank's computer systems, the unauthorized party was able to obtain and use the institution's login credentials for the STAR Station, where financial institutions administer their STAR-issued debit cards. In addition to reporting all incidents to regulators, and providing assistance to the banks who were victimized, STAR further assisted financial institutions by implementing additional mandatory authentication measures and controls.”

MoneyTaker also targeted Russian banks via the Automated Work Station Client of the Russian Central Bank (AWS CBR), the Russian equivalent to the SWIFT interbank messaging and fund transfer system. Furthermore, Group-IB reports that the criminals stole documentation detailing how banks can make transfers via SWIFT through OceanSystems' FedLink card processing system, which is used by 200 banks in Latin America and the U.S. This development leads Group-IB analysts to believe Latin American banks could be next on MoneyTaker's target list, warns Dmitry Volkov, co-founder and head of intelligence at Group-IB, in his company's blog post.

According to Group-IB's report, the MoneyTaker attacks over the last year and a half have shared many of the same tactics, techniques and procedures. For instance, the cyberthieves have leveraged the same unique malware tools across multiple attacks, protected their command-and-control communications by generating fake SSL certificates using the names of well-known brands, and avoided detection by actively modifying their tools as well as covering up their tracks after infecting their victims.

Researchers also noted that MoneyTaker actors have had a tendency to maintain persistence on compromised systems in order to gather intelligence and exfiltrate documents such as admin guides, internal regulations and instructions, change request forms, and transaction logs.

Other connections between attacks include MoneyTaker's “distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction,” Volkov writes.

MoneyTaker's infrastructure includes a persistence server that delivers malicious payloads only to whitelisted targets, in order to hopefully avoid security professionals and researchers. The attackers also use a pentest framework server, on which they have installed the legitimate pentesting tool Metasploit in order to perform reconnaisance, search for vulnerable applications, exploit vulnerabilities and escalate systems privileges.

MoneyTaker possesses a variety of attack tools in its arsenal, some of which have been written by the attackers themselves, including a Delphi-based spyware program that captures keystrokes, screenshots and clipboard contents.

Another is the eponymous malware MoneyTaker 5.0, which is designed specifically to stealthily steal from Russian banks via AWS CBR. “Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces,” Volkov explains. “The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced.”

Upon completion of the transaction, the malware once again swaps out the payment details with the original information so that the ensuing debit notification looks legitimate.

Group-IB reports that MoneyTaker prefers fileless malware that resides only in RAM, making it difficult to detect.

In addition to Metasploit, other legitimate tools used by the hackers include a series of privilege escalation tools whose code was demonstrated at a recent Moscow cybersecurity conference, as well as the Citadel and Kronos banking Trojans, the latter of which was used to deliver the point-of-sale malware ScanPOS.

Despite the lengths MoneyTaker has gone to in order to cover up its activities, Group-IB was able to trace an initial point of compromise in one Russian bank attack, discovering that hackers penetrated the institution's network by first accessing an employee's home computer.