Banks face new APT style robbery attacks

A year after Kaspersky Lab researchers warned that cyber-criminals would start to adopt sophisticated tactics and techniques from APT groups for use in bank robberies, the company has confirmed the return of Carbanak as Carbanak 2.0 and uncovered two more groups working in the same style: Metel and GCMAN who attack financial organizations use covert APT-style reconnaissance and customized malware along with legitimate software and new, innovative schemes to cash out.

The Metel cyber-criminal group gains control over machines inside a bank that have access to money transactions. The gang can automate the rollback of ATM transactions which shows that the balance in debit card remains same regardless of number of ATM restrictions.

The group of these criminals steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank.

The researchers also uncovered that the Metel operators achieve their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack, targeting vulnerabilities in the victim’s browser. After they cross the network, the cybercriminals use legitimate and pentesting tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank’s employees responsible for payment card processing.

Investigation is on to know further details. So far no attacks outside Russia have been identified.

The three gangs identified are shifting toward the use of malware accompanied by legitimate software in their fraudulent operations.

Meanwhile, GCMAN successfully attacks an organization without the use of any malware, running legitimate and pentesting tools only. Kaspersky Lab experts have investigated, we saw GCMAN using Putty, VNC, and Meterpreter utilities to move laterally through the network till the attackers reached a machine which could be used to transfer money to e-currency services without alerting other banking systems.

In one attack observed by Kaspersky Lab, the cybercriminals stayed in the network for one-and-a-half years before activating the theft. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia.

Founded in 1947, Kaspersky Lab products has released crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks.

Share this with Your friends: