Crafty bank hack allowed Russian hackers to make indefinite ATM withdrawals
How would like your ATM to rain you with $$$ without any limits or paying headaches. Well Russian hackers did just that Metel crimeware package. The recently found Metel crimeware package has more than 30 separate modules that can be personalized according to the computer it is infecting.
One of the most dominant modules immediately rolls back ATM transactions after a while they are made. Consequently, people can withdraw nearly unlimited sums of money from ATMs belonging to another bank with payment cards from a compromised bank. The criminals never pass the brink that would generally freeze the card because the Metel module constantly resets card balances. The rollback scheme last year resulted in an unnamed bank losing millions of Rubles in a single night in Russia.
Normally, Metel gets hold of an initial position by abusing susceptibilities in browsers or through spear phishing e-mails that fool employees to execute malicious files. In an attempt to further drill a hole into the targeted network, Metel hacking gang members then use legitimate software used by security researchers and server administrators to abuse other PCs. Until they gain control over a system with access to money transactions, they will work this way patiently over and over again.
Security researchers with Kaspersky Lab, the security firm that uncovered the Metel attack platform, wrote in a blog post published Monday, “As a result, each time when criminals picked up the money from a card of the compromised bank in an ATM of another bank, [the] infected system automatically rolled back the transactions. That’s why the balance on the cards remained the same, allowing the cybercriminal to withdraw money limited only by the amount of cash in the ATM. The criminals made similar cash-outs at different ATM machines.”
The growing sophistication of hackers targeting banks is demonstrated by Metel. Not so long ago social engineering, reconnaissance, state-of-the-art software engineering, lateral movements through a network, and long-term persistence were mainly the elite hallmarks of so-called advanced persistent threat actors that diligently hack high-profile targets, generally on behalf of government spy agencies. In comparison, hackers targeting financial institutions took a more principled approach that infected the easiest targets and did not cause nuisance with more difficult ones. At present, sophisticated techniques are gradually becoming a part of hacking crimes motivated by money as well.
Two other examples were provided by the Kaspersky researchers for APT-style techniques used against financial institutions that include:
The so-called GCMAN group gets its name from the malware that is made using the GCC compiler. Using spearphishing e-mails similar to Metel, its members gain an initial foothold into financial institutions and from there use widely available tools such as VNC, Putty, and Meterpreter to widen their access. In one case, before drawing any funds, GCMAN members had access to one targeted network for 18 months. However, when the group finally bounced into action, it used automated scripts to slowly transfer funds about $200 per minute into the account of a so-called “mule,” who was nominated to withdraw the money.
In one recent case, the Carbanak 2.0 malware used its access to a financial institution to change ownership details of a large company. To list a money mule as one of the shareholders, the records were revised. The gang took a five-month sabbatical after attacking numerous banks last year, which led the Kaspersky researchers to think that the group had split up. In December, Kaspersky confirmed the group was active and had revamped its malware to target new set of victims.
According to Kaspersky researchers, all three gangs seem to be active and are known to have altogether affected 29 organizations in Russia. However, they suspect that the number of institutions infected by the groups is much higher.