Hackers associated with a sophisticated Russian cybercrime ring attacked a series of banks in the U.S., U.K. and Russia, robbing at least one U.S. financial institution two separate times, according to Moscow-based cybersecurity company Group-IB.
The researchers dubbed the group “Money Taker,” based on a custom, modular malware framework used to spy on banks and manipulate payment data. Security researchers say Money Taker has been active since at least 2016, targeting more than 20 organizations over the last two years.
In addition to banks, victims include international law firms and financial software vendors.
Money Taker is likely a criminal enterprise unaffiliated with any government, although they’ve proved to be highly-skilled, resourceful and well-equipped — similar to an advanced persistent threat (APT) group which is typically supported by a government, Group-IB Director Nik Palmer told CyberScoop.
“The [banking-focused] attacks were certainly conducted by a skillful targeted attack group,” explained Palmer. “The group is skillful enough to modify the tools that they used during the attack. In some cases, they created or modified tools during their operations which signifies a good level of technical capabilities.”
Group-IB believes Money Taker is an entirely new hacking group. Analysts with the Russian company’s threat intelligence unit are “confident” the group was unidentified until Sunday, when the company published its initial research.
In the past, Group-IB says Money Taker simultaneously deployed publicly available intrusion tools — like the uber-popular penetration testing kit Metasploit — in combination with complex, custom-made malware, including fileless malware, keyloggers and so-called “screenshotter[s].”
The group has also launched attacks loaded with well-known banking trojans Kronos and Citadel to deliver Point-of-Sale (POS) malware, which can be used to covertly obtain credit and debit card information. In these operations, it’s likely that Money Taker employed “money mules,” or people on the ground with fake payment cards visiting banks and withdrawing funds, to steal money.
This diverse toolset is amplified by the group’s strong operation security, Group-IB noted. Money Taker usually launches attacks from a decentralized infrastructure, using different remote servers to upload malware and siphon data. Another tactic focuses on signing malware with illegitimate SSL certificates in hopes of avoiding detection, configuring the certificates to reference well-known technology brands like Microsoft and Yahoo.
In most cases, Money Taker will typically erase malware traces from a victim’s system, leaving very little evidence for investigators to chase.
Group-IB also found evidence the group had worked to steal internal manuals and documents related to three separate banking systems, including SWIFT, First Data’s “STAR” networkSTAR and the AWS CBR (Russian Interbank System).
“MoneyTaker was interested in acquiring documentation, instructions and administrative guides of multiple systems within the banks, not just interbank payment systems,” explained Palmer. “The documents that they chose to exfiltrate were a clear indication that the group was interested to learn more about how specific systems within the bank functioned so that they could use that information to complete their operation.”
Money Taker is far from the only hacking group to target the SWIFT system. Lazarus Group, a hacking collective with ties to North Korea, has been linked to an operation that saw Bangladesh Bank lose upwards to $81 million to cyber thieves, according to media reports.
Palmer said it’s not clear how Money Taker initially breaks into targeted organizations due to a lack of phishing email evidence. The initial infection vector remains a mystery.
“The primary infection vector remains unknown as Group-IB conducted their analysis on MoneyTaker’s infrastructure,” said Palmer. “In the events we conducted incident response, the exact entry point was unclear. In one case we investigated, a bank employees personal computer was compromised and this was used as an entry point to the bank’s infrastructure.”