Bank Busting and Beyond: Metel, GCMan and Carbanak 2.0!

From ancient times, the banking business has been associated with the danger of theft. The advance of technology has provided criminals with extra opportunities.

At the end of 2015, the Global Research and Analysis (GReAT) Team made a series of predictions, envisioning the future IT security situation in 2016. Of course, these predictions were not wild guesses or magical divinations: they were grounded in continuous surveillance of the worldwide threat landscape and in ongoing research.

To illustrate this, we are going to speak about three out-of-the-ordinary cyberheists: two conducted by actors quite new to us, and a third the production of an old acquaintance.

But – let’s start with the first.

Metel: rolling stolen money back

In the summer of 2015, our Emergency Response Team received a call from a Russian bank. The callers reported a loss of money due to mysterious financial transactions, the origins of which they were unable to trace. Kaspersky Lab’s experts responded rapidly – and were able to locate the root cause: a piece of malware based on  the well-known Corkow Trojan, which we dubbed Metel (or ‘Snowstorm’ in Russian – O.G.). The investigation uncovered a cybercriminal operation using an innovative technique, allowing them to freely tap into the banknote storages of public ATMs for multiple banks, which they then visited nocturnally by car. The transactions, conducted using the compromised bank’s own plastic cards, were automatically refunded via the hacked interface of an infected support center machine. Further research proved that Metel operators achieved their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack, targeting vulnerabilities in the victim’s browser.

Demonstrating that the launch of a successful Targeted Attack does not mean having to write a lot of malware modules, the cybercriminals used legitimate pentesting tools, including Mimikatz, to obtain Admin credentials, which were siezed after luring administrators onto compromised machines by crashing arbitrary applications.

With admin rights, it was much easier for them to move laterally, hijack the local Domain Controller and eventually locate and gain control over support computers.

Following the initial discovery, Kaspersky Lab found Metel malware lodged in IT networks of several more banks. Fortunately, they were able to cleanse the infection before major damage could occur. Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are recommended to check for infection proactively, using the Indicators of Compromise (IoCs) provided – or contact the Kaspersky Lab specialists for a more thorough search.


GCMan: The Money Ping

Another bank contacting Kaspersky Lab’s emergency team claimed they were losing the equivalent of $200 a minute through an unidentified channel. Our cyberdetectives investigated the ‘crime-scene’ and found malware sitting alongside a number of legitimate and pentesting tools (including Putty, VNC and Meterpreter). The primary malware was compiled using a Linux-native GCC compiler – hence the ‘GCMan’ nickname. Using techniques very similar to those of Metel, GCMan gained a foothold inside the bank’s security perimeter with the help of spear-phishing emails and malicious attachments. It then explored the network, located the server responsible for financial transactions and set up a scheduling script which started sending a $200-‘pings’ to multiple e-currency systems, without reporting the transactions or triggering any alarms.

A stroke of luck – and help from the Kaspersky Lab specialists – allowed the bank to identify suspicious network activity and to locate and cancel the unwanted transactions. All the same, it’s worth noting that the initial infection occurred more than 18 months before the ‘money pings’ started. During that time, the attackers kept a low profile, gradually expanding their control over the network and building the basis for their subsequent criminal operation; 70 hosts and 56 accounts were compromised using the total of 139 auxiliary attack sources (including Tor network and compromised SOHO routers).

Several more financial institutions contacted  Kaspersky Lab with incidents which subsequently proved connected to GCMan. But there is a reason to assume that infiltration was much more widespread – so don’t hesitate to check proactively for attack indicators.  GCMan may move slowly – but it can start syphoning off funds at any time.

Carbanak 2.0: expanding the boundaries of crime

Those guys who made many a banker turn grey by stealing a total of near $1 bln last year are back!  After the initial operation, they faded into the shadows for several months – but in September 2015, our colleagues from CSIS discovered a new variant of their malware during an incident investigation. In December 2015, Kaspersky Lab’s GReAT experts confirmed that the group is still active despite all the rumors of retirement. As part of a new wave of operations, they expanded their choice of victims, targeting the accounting and budgetary divisions of a wide range of companies. In one case, they even attempted to forge information proving that their accomplice was one of the enterprise’s shareholders.  It remains unclear how they intended to use this information in the future.

Carbanak’s initial series of attacks were noted for their wide use of legitimate tools – and even built-in administrative interfaces – to achieve their goals. Their second iteration was similar: besides renewing their backdoor module, they used pentesting tools such as Meterpreter and a number of legitimate Remote Administration Tools, including the same AMMYY Admin as was used during their first appearance.

Less malware: more legitimate software – plus extensive testing

These three cases beautifully illustrate one important trend in the perpetration of targeted attacks. Why write a lot of custom malware tools, when legitimate utilities can be just as effective, and trigger far fewer alarms? The necessary efficiency can be attained through testing against the supposed target’s IT security simulacrum – and subsequent tweaking the attack scheme. Such a situation merits extra attention to your current security posture: some aspects definitely need reviewing.

Addressing the issue

The first thing to be done, given the story above, is to review alarms triggered by different types of ‘Riskware’, such as Remote Administration Tools: they demand your special attention. But, of course, this alone is not enough; according to the ASD’s comprehensive Targeted Attack Mitigation Strategies, policing the launched application using allowlists is one of the Top 4 approaches, effective in 85% of reported TA-related security breaches. In the case of financial institutions, the price of a security breach can be incredibly high: besides the simple matter of money, hundreds of thousands of customer datasets can be endangered. So it’s well worth considering the  adoption of a Default Deny  Application Control scenario for all those workstations which perform only a limited number of tasks –Customer Support operators’ or Accountants’ PCs, for example. This prevents the majority of file-based malware from launching, letting only allowed applications run. Policing internet access reduces the risk even further: many workstations don’t need to undertake web browsing – and the rest can be restricted to safer web resources by using Web Control. And Device Control would restrict the use of portable storages, which can serve both as infection vectors and data leakage media.

But even such potent technologies as allowlists and Default Deny cannot be considered a complete panacea. Attackers are not stupid, and keep inventing new tricks to sidestep them: GCMan, for example, employs a number of powershell scripts to confuse different implementations of Default Deny – so extra security layers are also needed.

Security Controls are part of Kaspersky Endpoint Security for Business, a true multi-layered security powerhouse comprising a plethora of constantly improved leading-edge technologies to guard the most vulnerable element of the IT network – the endpoint.

Of course, just offering a multitude of powerful endpoint security layers is not enough. Spear-phishing, one of the most popular techniques for initial infection, makes reliable mail security a must. Kaspersky Security for Mail Servers scans incoming emails for both malicious attachments and URLs, significantly reducing the chances of malware reaching its victims.

In the light of the stories above, you may want to consider ordering a proactive inspection of your IT infrastructure for the presence of Targeted Attacks. Our Kaspersky Targeted Attack Discovery[1] service employs the best cyberdetectives armed with the most extensive security intelligence to uncover and help neutralize even the most complicated Targeted Attacks.

From ancient times, the banking business has been associated with the danger of theft. The advance of technology has provided criminals with extra opportunities – and in the Digital Age, such opportunities have become a Sword of Damocles hanging over financial institutions. There really is good reason to adjust your IT security strategy right now.

For more about these Bank Busters, read the following blogpost on Securelist.

[1] Available only in a limited number of regions. To find out whether this is available in your region, please contact Kaspersky Lab manager.