Initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.
Borrowed tools:
Privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016.
To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.
Citadel and Kronos banking Trojans. Kronos was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.
Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. It is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server.
Metasploit used to infiltrate corporate networks
SSL certificates generated using popular brands to protect traffic between Meterpreter and C&C
Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc
Created tools:
1.‘Screenshotter’ and ‘keylogger’ to conduct espionage and capture keystrokes — To spy on bank operators they developed an application with ‘screenshot’ and ‘keylogger’ capabilities. This program is designed to capture keystrokes, take screenshots of the user’s desktop and get contents from the clipboard.
The application is compiled in Delphi and contains 5 timers: functions of the application (such as taking screenshots, capturing keystrokes, disabling itself) are executed once the timer triggers. To circumvent antivirus and automated sample analysis, hackers again used ‘security measures’: they implemented the anti-emulation function in the timer code.
2. MoneyTaker v5.0 — malicious program for auto replacement of payment data in AWS CBR.
Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. he success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced.
3.Moneytaker ‘Auto-replacement’ program to substitute payment details in the interbank transfer system — In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.
Other tools: PowerShell Empire
Logic:
To control the full operation, MoneyTaker uses a Pentest framework Server with Metasploit installed on it.
After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct all these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate systems privileges, and collect information.
They use fileless malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts — they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ — during the attack.
To protect C&C communications from being detected by security teams, MoneyTaker employs SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access.
After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Then they legally opened or bought cards of the bank whose IT system they had hacked. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs
Source: https://www.group-ib.com
Bitcoin tip jar: bc1qgpl6lhf09j6kcdvkh8cz90p4cfxuyfec3ecjrd
Ethereum tip jar: 0x7e0Bf6D50b5F5fcbf76A16Bd5285CE0c74C063a9
