The ‘MoneyTaker’ group has made off with around $10m so far from banks in the UK, US and Russia, all the while carefully covering its tracks
A gang of cyber-thieves has made off with around $10 million (£7.5m) in a string of heists that targeted a bank in the UK as well as a number of banks and other companies in the US and Russia, security experts have said.
The criminal ring, known as MoneyTaker after one of the tools it uses, has hit at least 20 organisations since May 2016 with an average of $500,000 stolen in each heist, said Moscow-based computer security firm Group-IB in a newly published report.
MoneyTaker was able to remove most traces of its activities after carrying out a robbery, meaning the crimes were not detected right away and were not linked to one another until recently.
“By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed,” Group IB said in an advisory.
Group-IB said it is the first to have found evidence the 20 heists were carried out by the same criminals, whose techniques included taking over banks’ internal networks and changing or removing overdraft limits so that “money mules” could withdraw large amounts of cash from teller machines.
The group also caused fraudulent payment orders to be executed using a modular hacking tool called MoneyTaker 5.0.
In one case after MoneyTaker was installed on the system of a Russian bank, it modified payment orders, replacing the legitimate payment details with fraudulent ones before the order had been signed, then intercepts the resulting debit advice and re-inserts the legitimate payment details.
“The payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones.” Group-IB stated. “This gives cybercriminals extra time to mule funds before the theft is detected.”
The technique is similar to that used by the criminals who stole $81m from Bangladesh’s central bank last year via fraudulent transfers over the international SWIFT network. In that case, too, the criminals removed records that the payments had taken place in order to buy themselves time.
Another indication of the sophistication of MoneyTaker’s methods is the use of malware that resides almost entirely in a system’s RAM memory, meaning it vanishes when the computer reboots.
“To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify,” Group-IB wrote. “In some cases, they have made changes to source code ‘on the fly’ – during the attack.”
Other methods used to maintain a low profile include the employment of well-known brand names such as Federal Reserve Bank, Microsoft and Yahoo in the SSL certificates used to encrypt communications between the malware and its command servers and the use of publicly available malware tools.
The criminals use a legitimate penetration testing tool called the Metasploit Framework to coordinate the different phases of the attack, from initial network reconnaisance to the exploitation of vulnerabilities and the acquisition of administrator-level system privileges.
The group has used privilege escalation tools based on code publicly presented at a cybersecurity conference in Russia last year and in some cases deployed the infamous Citadel and Kronos banking Trojans.
Of the 20 targets, one was in the UK and three in Russia, with the rest in various regions around the US. Most targets were banks, with a US service provider and a Russian law firm also hit.
Group-IB said the gang appears to remain active and it has provided Europol and Interpol with information on the group’s methods.
“Group-IB specialists expect new thefts in the near future,” stated Group-IB co-founder and intelligence head Dmitry Volkov.
Do you know all about security in 2017? Try our quiz!