Category Archives: Security News

MoneyTaker Attacks Banks In The US, Russia And The UK

Group-IB, a high-fidelity threat intelligence and anti-fraud solutions vendor has released a report detailing the operations of a Russian-speaking targeted attack group dubbed by Group-IB as MoneyTaker.

In less than two years, Moneytaker group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting internal banking systems for theft, including the AWS CBR (Russian Interbank Transfer System) and attacks to steal from card payment processing systems in banks in the USA. Group-IB confirmed one attack on a financial and transaction software service provider in the United Kingdom, however, card processsing systems used inside banks was the group’s main target.

Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on an IT-company (providing financial software) in the UK and 2 attacks on Russian banks. By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed.

MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations. – Dmitry Volkov – Group-IB Co-Founder and Head of Intelligence

The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data’s “STAR” network operator portal. Since that time, the group attacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.

In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on IT-company UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group‑IB.

In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and free email services in the [email protected] format.

Important findings that enabled Group-IB to discover the links between crimes include privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. Also, in some incidents, hackers used the infamous Citadel and Kronos banking Trojans. The latter was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.

By analyzing the attack infrastructure, Group-IB identified that they group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.

Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime.

MoneyTaker: arsenal for attacks

Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools. For example, to spy on bank operators they developed an application with ‘screenshot’ and ‘keylogger’ capabilities. This program is designed to capture keystrokes, take screenshots of the user’s desktop and get contents from the clipboard. The application is compiled in Delphi and contains 5 timers: functions of the application (such as taking screenshots, capturing keystrokes, disabling itself) are executed once the timer triggers. To circumvent antivirus and automated sample analysis, hackers again used ‘security measures’: they implemented the anti-emulation function in the timer code.

In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced. In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.

Leaving no trace behind

To conduct targeted attacks, MoneyTaker use a distributed infrastructure that is difficult to track. A unique feature of the infrastructure is a persistence server, which delivers payloads only to victims with an IP addresses in MoneyTaker’s whitelist.

To control the full operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct all these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate systems privileges, and collect information.

The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack.

After successful infection, they carefully erase malware traces. However, when investigating an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.

In addition, to protect C&C communications from being detected by security teams, MoneyTaker employs SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access.

Attacks on card processing

The first attack on card processing that Group-IB specialists attribute to this group was conducted in May 2016. Having gained access to the bank network, the attackers compromised the workstation of First Data’s STAR network portal operators, making the changes required and withdrawing the money. In January 2017, the attack was repeated in another bank.

The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.

Russian Hacker Arrested For Stealing $8000 Per Day Via Mobile Malware

Law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.

At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

Further details on this story here

Anti-theft Software Exploited By State Actor [LoJack]

Research by Arbor Networks has alleged that a capable state actor has hijacked software that protects users if their computers are stolen.

The software, called LoJack, allows administrators to remotely lock, locate and remove files from stolen computers.

Its main customers are corporate IT-related firms that need to protect information from exploitation. It is often installed by default. However, the actor has re-configured the software for malicious use to maintain persistent access to targeted devices and communicate with command-and-control servers that the actor operates.

Most anti-virus packages cannot detect when LoJack has been hijacked, or do not recognise the hijacked version as malicious.

Previous research as far back as 2009 has publicised that Lojack could be exploited.

However, not all computers that use LoJack are vulnerable to compromise and data exfiltration – the attacker needs to gain initial access to the machine before they can deploy the hijacked version of LoJack to maintain persistence.

Twitter Passwords Exposed

Twitter has urged its users to change their passwords after a software bug exposed their login details.

The bug saw usernames and passwords written in plain text and stored in an internal log before being encrypted.

Twitter discovered and fixed the error and have since apologised for their mistake, advising all 330 million users to change their passwords as a precautionary measure.

Despite login credentials being made visible by the bug, Twitter are confident that no details have been compromised.

It is important to manage passwords effectively; never use the same password for important accounts such as banking, work accounts or cloud storage. If your password is exposed on one platform it’s possible that criminals or other threat actors might attempt to use that information in the hope of compromising others.

UK Cyber Criminal Pleads Guilty To Selling Customer Credentials On The Dark Web

A cyber criminal who hacked into the online networks of at least 200 companies worldwide recently pleaded guilty to multiple offences in court.

Grant West, 25, who operated under the pseudonym ‘Courvoisier’, was detained in September 2017 following a two-year investigation by Scotland Yard. He was arrested on a train whilst logging on to his dark web marketplace account.

Southwark Crown Court heard that from at least 2015, West hacked into the online networks of Sainsburys, Asda, Apple, Uber, Ladbrokes, JustEat, Argos and others.

The data of thousands of customers was then stolen and used in spear-phishing scams to dupe customers into revealing their credit and debit card details, login credentials and email addresses.

The customer credentials were then sold on the dark web marketplace and used by other cyber criminals to make illegal purchases. Although hacking of the company websites was the major enabler of this cyber criminal activity, the spear-phishing emails ultimately led to customers unwittingly divulging their personal banking details which were then used to steal their money.

Powershell Script To Check for MS17-010 Hotfixes [EternalBlue]

The below PowerShell script will check for all Microsoft KB patches associated to MS17-010.

EternalBlue  is an exploit developed by the U.S. National Security Agency (NSA) according to testimony by former NSA employees. It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack

Exploits include WannaCry, EternalRomance, EternalChampion, and EternalSynergy exploits.

The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

This script will only work on the local PC (it can be midified to cover the entire network – please feel free to add comments if you have done this)

#list of all the hotfixes from
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"

#checks the computer it's run on if any of the listed hotfixes are present
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"

#confirms whether hotfix is found or not
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})
{"Found HotFix: " + $hotfix.HotFixID} 
{Write-Warning ”Did Not Find HotFix"}

There is also otther ways to check for the patches, as documented by Microsoft here.

Early Bird Code Injection Technique

Early Bird is a new code injection technique that enables malicious users to effectively avoid anti-malware detection. The technique is known to be part of malware which is used by the Iranian group advanced persistent threat (APT) 33.

The technique uses legitimate Windows functions such as svhost.exe to inject the code into an application before the actual process starts and the anti-malware product has started to monitor it.

Anti-malware products have a process called hooking which is designed to detect this type of technique, however Early Bird loads the malicious code in a very early stage of the start process, this is before many anti-malware’s have placed their hooks, so it can go undetected.

Cyberbit provides an Endpoint Detection and Response solution (EDR) which successfully detects the ‘Early Bird’ injection technique. To learn more visit the Cyberbit EDR page.

Affected Platforms

Microsoft Windows – All versions

Cyberbit published a report with the details of the injection process, along with the YouTube video shown above.



Phishing Emails Deemed Number One Threat By UK Businesses

Industry research by security company Clearswift has reported that malicious links within emails are perceived as posing the biggest cyber threat to UK businesses, with 59% of business decision makers highlighting this as their chief concern. This is indicated to be far more than any other cyber threat.

The research surveyed 600 senior business decision makers and 1,200 employees across the UK, US, Germany and Australia.

When asked what they see as the biggest threat to their organisation, business decision makers ranked phishing emails as the top threat in all four surveyed regions:

Cyber Threatscape Top 10

  1. Malicious links within emails – 59%
  2. Employees sharing usernames/passwords – 33%
  3. USB memory sticks/removable storage – 31%
  4. Users not following protocol/data protection policies – 30%
  5. Ex-employees retaining access to network – 28%
  6. Infection via malware from personal devices – 26%
  7. Hackers – 25%
  8. Employees using non-authorised tools/applications for work purposes (personal email drives/file sharing) – 25%
  9. Social media viruses – 24%
  10. Critical information on stolen devices – 23%

HMRC Spear Phishing Emails

Phishing emails appearing to be from HM Revenue & Customs (HMRC) are known to increase in volume from January to March, towards the end of the UK financial year. The emails claim to offer tax rebates, enticing users with financial incentives. Companys can be particularly susceptible to this type of scam as their contact information is often readily available.
These emails can have all the hallmarks of an HMRC email but contain hidden links that redirect to malicious websites. Once the links are activated the user’s machine can become infected with malware.

Emails from HMRC will never:

  • Send notification of a tax rebate.
  • Offer a repayment.
  • Request personal information such as your full address, postcode, Unique Taxpayer Reference, or bank account details.
  • Request any responses to a non-HMRC personal email address.
  • Request financial information such as specific figures or tax computations, unless you’ve given HMRC prior consent and formally accepted the risks.
  • Have attachments, unless you’ve given HMRC prior consent and formally accepted the risks.
  • Provide a link to a secure log-in page or a form asking for information – instead HMRC will ask you to log on to your online account to check for information.

Any email received from the HMRC requesting financial information or offering financial incentives should be treated with the utmost caution and checked before opening

Affected Platforms

All Windows Versions

Image result for hmrc

CCleaner Attack Update

Cyber security company Avast continues to investigate the 2017 supply chain attacks involving clean-up tool CCleaner. For a month last summer, Advanced Persistent Threat (APT) attackers are reported to have maliciously modified versions of CCleaner and CCleaner Cloud at source, before being downloaded by 2.27 million customers worldwide. The attackers then selected a small number of high profile technology and telecommunications companies to receive a secondary payload.

Avast’s ongoing investigation has now revealed that CCleaner developer Piriform (acquired by Avast in July) was probably compromised as early as March 2017, although no information is given about the original attack vector.

The investigation also points to a possible third stage of the malware that may have been distributed via the CCleaner attack: once on the Piriform network, the attackers deployed a tool known as Shadowpad, which included keylogging and password stealing functionality, as well as other tools, to allow them to progress their attack remotely. The same tool may have been deployed to those customers who received the secondary payload.

Avast also details the steps it has taken to remove the threat from the Piriform network.