MoneyTaker hacking group

A cyber-criminal group believed to be operating out of Russian-speaking territories has hit at least 20 banks and financial companies and stolen millions of US dollars in the process.

Details of these attacks were first made public in a report published yesterday by Russian cyber-security firm Group-IB. The company believes this is a new group, different from other advanced criminal organizations that have hit the financial sector in the past, like the Carbanak, Cobalt, and Lazarus Group operations.

Researchers named this new group MoneyTaker, based on the name attackers gave to one of their hacking utilities.

MoneyTaker group began operations in 2016

According to Group-IB, MoneyTaker has started operations sometimes in 2016, hitting its first target —a Florida bank— in May 2016.

Since then, the group has hit 14 US banks, a US services provider, a UK company, 3 Russian banks, and one Russian law firm.

Timeline of MoneyTaker attacks

The attacks that hit banks have focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network and the Russian Central Bank's AWS CBR system.

Attackers infiltrated one computer, then spread laterally, gathering any files and credentials they could, hoping to compromise a PC with access to the STAR or CBR networks.

Attackers studied bank networks by stealing documentation files

Evidence collected by Group-IB suggests attackers intentionally searched and stole internal documentation files to learn about bank operations in preparation for future attacks.

In some cases, attackers also stole documents on SWIFT, another inter-banking money transfer system, and files on OceanSystems’ FedLink, a card processing system widely deployed across Latin America.

Now, experts believe Latin America banks and banks utilizing the SWIFT system are in MoneyTaker's crosshairs. The SWIFT team issued a report last month with recommendations on how banks could improve their security.

Attackers used fileless malware, legitimate apps

As for the "hacking" part of the MoneyTaker attacks, Group-IB said the hackers' activity was very hard to investigate.

Attackers used common and legitimate apps to carry out malicious operations and used a wide arsenal of malware families. Each hack was different, showing that the group studied each target in fine detail and deployed only tools appropriate for those targets.

The hackers never focused on one bank system alone, and stole money from card processing systems, from ATM networks, and even installed POS (Point-of-Sale) trojans when the hacked organizations weren't financial institutions and had no connection to a large inter-banking network.

According to Group-IB, the group used the MoneyTaker malware framework to hijack inter-banking and card processing operations, the ScanPOS malware for POS systems, custom screenshoting and keylogging tools and the Citadel and Kronos banking trojans to move laterally inside networks. The table below shows tools used by MoneyTaker during their attacks.

Collection of hacking tools used by MoneyTaker group

In addition, MoneyTaker also used SSL certificates generated in the name of big brands to sign their malware, used one-time Yandex and email accounts, and employed the overdraft technique for cashing stolen funds with the help of money mules.

Further, the hackers also took the time to delete their entry points, as Group-IB was not able to find the initial infection vector, and used a unique command-and-control server infrastructure that did not deploy any malware unless the download request came from a targeted bank's IP address range.

Group-IB investigators said they forwarded all the data they gather on this group to Europol and Interpol, as they suspect this will not be the last time we hear about MoneyTaker's operations.

Bleeping Computer readers can get their hands on the Group-IB MoneyTaker report from here.

Related Articles:

White-Hats Go Rogue, Attack Financial Institutions

Lazarus Group Deploys Its First Mac Malware in Cryptocurrency Exchange Hack

Domestic Kitten APT Operates in Silence Since 2016

Iranian Hackers Charged in March Are Still Actively Phishing Universities

Zero-Day In Microsoft's VBScript Engine Used By Darkhotel APT