{"id":15127,"date":"2016-02-08T13:20:53","date_gmt":"2016-02-08T13:20:53","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=5160"},"modified":"2020-12-17T11:35:08","modified_gmt":"2020-12-17T16:35:08","slug":"bank-busting-carbanak-2","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/bank-busting-carbanak-2\/15127\/","title":{"rendered":"Bank Busting and Beyond: Metel, GCMan and Carbanak 2.0!"},"content":{"rendered":"

At the end of 2015, the Global Research and Analysis (GReAT) Team made a series of predictions<\/a>, envisioning the future IT security situation in 2016. Of course, these predictions were not wild guesses or magical divinations: they were grounded in continuous surveillance of the worldwide threat landscape and in ongoing research.<\/p>\n

To illustrate this, we are going to speak about three out-of-the-ordinary cyberheists: two conducted by actors quite new to us, and a third the production of an old acquaintance.<\/p>\n

But \u2013 let\u2019s start with the first.<\/p>\n

Metel: rolling stolen money back<\/h2>\n

In the summer of 2015, our Emergency Response Team received a call from a Russian bank. The callers reported a loss of money due to mysterious financial transactions, the origins of which they were unable to trace. Kaspersky Lab\u2019s experts responded rapidly \u2013 and were able to locate the root cause: a piece of malware based on \u00a0the well-known Corkow Trojan, which we dubbed Metel (or \u2018Snowstorm\u2019 in Russian \u2013 O.G.). The investigation uncovered a cybercriminal operation using an innovative technique, allowing them to freely tap into the banknote storages of public ATMs for multiple banks, which they then visited nocturnally by car. The transactions, conducted using the compromised bank\u2019s own plastic cards, were automatically refunded via the hacked interface of an infected support center machine. Further research proved that Metel operators achieved their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris<\/strong> exploit pack,<\/strong> targeting vulnerabilities in the victim\u2019s browser.<\/p>\n

Bank Busting and Beyond: Metel, GCMan and Carbanak 2.0! #bankingAPT<\/p>Tweet<\/a><\/blockquote>\n

Demonstrating that the launch of a successful Targeted Attack does not mean having to write a lot of malware modules, the cybercriminals used legitimate pentesting tools, including Mimikatz, to obtain Admin credentials, which were siezed after luring administrators onto compromised machines by crashing arbitrary applications.<\/p>\n

With admin rights, it was much easier for them to move laterally, hijack the local Domain Controller and eventually locate and gain control over support computers.<\/p>\n

Following the initial discovery, Kaspersky Lab found Metel malware lodged in IT networks of several more banks. Fortunately, they were able to cleanse the infection before major damage could occur. Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are recommended to check for infection proactively, using the Indicators of Compromise (IoCs) provided \u2013 or contact the Kaspersky Lab specialists<\/strong> for a more thorough search.<\/p>\n

\"metel2\"<\/p>\n

<\/h2>\n

GCMan: The Money Ping<\/h2>\n

Another bank contacting Kaspersky Lab\u2019s emergency team claimed they were losing the equivalent of $200 a minute through an unidentified channel. Our cyberdetectives<\/a> investigated the \u2018crime-scene\u2019 and found malware sitting alongside a number of legitimate and pentesting tools (including Putty, VNC and Meterpreter). The primary malware was compiled using a Linux-native GCC compiler \u2013 hence the \u2018GCMan\u2019 nickname. Using techniques very similar to those of Metel, GCMan gained a foothold inside the bank\u2019s security perimeter with the help of spear-phishing emails and malicious attachments. It then explored the network, located the server responsible for financial transactions and set up a scheduling script which started sending a $200-\u2018pings\u2019 to multiple e-currency systems, without reporting the transactions or triggering any alarms.<\/p>\n

A stroke of luck \u2013 and help from the Kaspersky Lab specialists \u2013 allowed the bank to identify suspicious network activity and to locate and cancel the unwanted transactions. All the same, it\u2019s worth noting that the initial infection occurred more than 18 months<\/u> before the \u2018money pings\u2019 started. During that time, the attackers kept a low profile, gradually expanding their control over the network and building the basis for their subsequent criminal operation; 70 hosts and 56 accounts were compromised using the total of 139 auxiliary attack sources (including Tor network and compromised SOHO routers).<\/p>\n

Several more financial institutions contacted\u00a0 Kaspersky Lab with incidents which subsequently proved connected to GCMan. But there is a reason to assume that infiltration was much more widespread \u2013 so don\u2019t hesitate to check proactively for attack indicators. \u00a0GCMan may move slowly \u2013 but it can start syphoning off funds at any time.<\/p>\n

Carbanak 2.0: expanding the boundaries of crime<\/h2>\n

Those guys who made many a banker turn grey by stealing a total of near $1 bln last year<\/a> are back! \u00a0After the initial operation, they faded into the shadows for several months \u2013 but in September 2015, our colleagues from CSIS discovered a new variant of their malware during an incident investigation. In December 2015, Kaspersky Lab\u2019s GReAT experts confirmed that the group is still active despite all the rumors of retirement. As part of a new wave of operations, they expanded their choice of victims, targeting the accounting and budgetary divisions of a wide range of companies. In one case, they even attempted to forge information proving that their accomplice was one of the enterprise\u2019s shareholders. \u00a0It remains unclear how they intended to use this information in the future.<\/p>\n

Carbanak\u2019s initial series of attacks were noted for their wide use of legitimate tools \u2013 and even built-in administrative interfaces \u2013 to achieve their goals. Their second iteration was similar: besides renewing their backdoor module, they used pentesting tools such as Meterpreter and a number of legitimate Remote Administration Tools, including the same AMMYY Admin as was used during their first appearance.<\/p>\n

Less malware: more legitimate software \u2013 plus extensive testing<\/h2>\n

These three cases\u00a0beautifully illustrate\u00a0one\u00a0important trend in the perpetration of targeted attacks. Why write a lot of custom malware tools, when legitimate utilities can be just as effective, and trigger far fewer alarms? The necessary efficiency can be attained through testing against the supposed target\u2019s IT security simulacrum \u2013 and subsequent tweaking the attack scheme. Such a situation merits extra attention to your current security posture: some aspects definitely need reviewing.<\/p>\n

Addressing the issue<\/h2>\n

The first thing to be done, given the story above, is to review alarms triggered by different types of \u2018Riskware\u2019, such as Remote Administration Tools: they demand your special attention. But, of course, this alone is not enough; according to the ASD\u2019s comprehensive Targeted Attack Mitigation Strategies<\/a>, policing the launched application using allowlists is one of the Top 4 approaches, effective in 85% of reported TA-related security breaches. In the case of financial institutions, the price of a security breach can be incredibly high: besides the simple matter of money, hundreds of thousands of customer datasets can be endangered. So it\u2019s well worth considering the \u00a0adoption of a Default Deny\u00a0 Application Control<\/a> scenario for all those workstations which perform only a limited number of tasks \u2013Customer Support operators\u2019 or Accountants\u2019 PCs, for example. This prevents the majority of file-based malware from launching, letting only allowed applications run. Policing internet access reduces the risk even further: many workstations don\u2019t need to undertake web browsing \u2013 and the rest can be restricted to safer web resources by using Web Control. And Device Control would restrict the use of portable storages, which can serve both as infection vectors and data leakage media.<\/p>\n

But even such potent technologies as allowlists and Default Deny cannot be considered a complete panacea. Attackers are not stupid, and keep inventing new tricks to sidestep them: GCMan, for example, employs a number of powershell scripts to confuse different implementations of Default Deny \u2013 so extra security layers are also needed.<\/p>\n

Less malware: more legitimate software \u2013 plus extensive testing. #bankingAPT<\/p>Tweet<\/a><\/blockquote>\n

Security Controls are part of Kaspersky Endpoint Security for Business<\/a>, a true multi-layered security powerhouse comprising a plethora of constantly improved leading-edge technologies to guard the most vulnerable element of the IT network \u2013 the endpoint.<\/p>\n

Of course, just offering a multitude of powerful endpoint security layers is not enough. Spear-phishing, one of the most popular techniques for initial infection, makes reliable mail security a must. Kaspersky Security for Mail Servers<\/a> scans incoming emails for both malicious attachments and URLs, significantly reducing the chances of malware reaching its victims.<\/p>\n

In the light of the stories above, you may want to consider ordering a proactive inspection of your IT infrastructure for the presence of Targeted Attacks. Our Kaspersky Targeted Attack Discovery<\/a>[1]<\/a> service employs the best cyberdetectives armed with the most extensive security intelligence to uncover and help neutralize even the most complicated Targeted Attacks.<\/p>\n

From ancient times, the banking business has been associated with the danger of theft. The advance of technology has provided criminals with extra opportunities \u2013 and in the Digital Age, such opportunities have become a Sword of Damocles hanging over financial institutions. There really is good reason to adjust your IT security strategy<\/a> right now.<\/p>\n

For more about these Bank Busters, read the following blogpost on Securelist<\/a>.<\/p>\n

[1]<\/a> Available only in a limited number of regions. To find out whether this is available in your region, please contact Kaspersky Lab manager.<\/p>\n","protected":false},"excerpt":{"rendered":"

From ancient times, the banking business has been associated with the danger of theft. The advance of technology has provided criminals with extra opportunities.<\/p>\n","protected":false},"author":610,"featured_media":15474,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1999,3052],"tags":[519,2389,1410],"class_list":{"0":"post-15127","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"tag-banking","10":"tag-bankingapt","11":"tag-sas-2016"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/bank-busting-carbanak-2\/15127\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/bank-busting-carbanak-2\/15127\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/bank-busting-carbanak-2\/15127\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/banking\/","name":"banking"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=15127"}],"version-history":[{"count":10,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15127\/revisions"}],"predecessor-version":[{"id":38113,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/15127\/revisions\/38113"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/15474"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=15127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=15127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=15127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}