Clustertrouble: dealing with a multistage financial attack

A curious story about a cyber-investigation of fraudulent activities, which our GERT group had recently conducted on behalf of one of the company’s clients. The attackers were quite thoughtful, but not good enough.

This is a story from our GERT group which is tasked with specific incident investigations. While the kind of work they do is far from being routine, it is mostly technical. So an attempt to tell a story about their investigations, for the most part, produces something overloaded with technical details: software names, malware aliases, ports, code fragments, etc. It’s not always interesting. This particular story is something special.

Okay, here’s the plot. Some time ago, one company – large enough to operate with 5-6 digit sums – approached Kaspersky Lab’s experts asking that we take a look at something wicked going on. In a nutshell, the bank it was working with requested they confirm a large outgoing payment. Trouble was, that payment was not supposed to be happening at all. The account manager responsible for making these payments was out to dinner at the time of the transaction attempt. Yet another – ten times smaller (but still rather large) – payment had been conducted already without alarming the bank. Again, without anyone in the firm aware of it.

The situation smelled foul enough for the company representatives to suspect there was malware at play. That suspicion was confirmed in the very first days of investigation. And it was quite impressive, something out of the “rough-but-effective” sort. Even though the hackers made one big mistake.

The experts at Kaspersky Lab’s Global Emergency Response Team (GERT) received an image of the attacked computer’s hard drive from the attacked organization, studied this and soon detected a suspicious email message sent allegedly from the state tax office, asking to provide some documents immediately.


Actually that message header was written in capital letters and with a lot of exclamation points, which isn’t exactly a style of an official letter from a government agency. So it really should raise suspicions. Apparently the accountant was sort of mesmerized with the words “Federal tax service”. By the way, names and addresses of the tax service officers in the message were real and legit.

All in all, the document had been opened, thus setting loose Exploit.MSWord.CVE-2012-0158. The exploit then downloaded an archived file from a remote system, which in turn yielded Backdoor.Win32.RMS. This backdoor was used to monitor the accountant activities for a couple of days. Then two more pieces of malware had been downloaded using that backdoor – a keylogger Trojan-Spy.Win32.Delf and Backdoor.Win32.Agent. The keylogger had been used to hijack the accountant’s password to banking software, second Backdoor – to hijack the PC itself and operate on it remotely. Gotcha.

That wasn’t all. When the investigation was nearing completion, the experts discovered yet another curious fact: Attackers rolled out a special network of C&C servers to control their malware, but made a mistake which allowed Kaspersky Lab’s experts to find out the IP addresses of other computers infected with Trojan-Spy.Win32.Delf.

In most cases, these proved to be computers owned by SMBs. Kaspersky Lab promptly contacted the owners of the infected computers and warned them of the threat.

This last circumstance raises yet another problem: how often do criminals infect one company’s network in order to successfully attack another? The first company may be completely clueless about the malware operating on and from its servers (or even some more exotic places such as wireless modems, for instance, why not?), and stay undetected for quite some time. Once again it becomes obvious that cybersecurity is everybody’s business.

And one more thing. There are technical details. A lot of them. Feel free to find them here.