Cyber criminals cash out using PowerShell, other legitimate tools

Kaspersky Lab found three cyber crime gangs using customized malware and APT-style reconnaissance to get the stolen money into their pockets

Cyber criminals use a variety of methods to steal money, but they also need to somehow get those ill-gotten gains into their pockets. Kaspersky Lab researchers outlined how three different cyber crime gangs used legitimate networking tools against banks to cash out.

Cyber criminals are increasingly adopting techniques previously used by nation-state actors to craft stealthy attacks against banks, and there are new players in the game, researchers said at the Kaspersky Lab Security Analyst Summit.

Metel, Gcman, and Carbanak 2.0 (the 2.0 refers to the fact that the audacious cyber criminal gang has expanded its attack methods) rely on covert advanced persistent threat-style reconnaissance and customized malware along with legitimate software to transfer money to accounts belonging to networks of money mules.

"Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cyber criminals aggressively embracing APT-style attacks," said Sergey Golovanov, principal security analyst at Kaspersky Lab's Global Research & Analysis Team.

Criminals used to target their operations against individual bank customers or companies, but over the past year, they've shifted their focus to the banks themselves, Kaspersky Lab researchers said. Last year, the research team disclosed the inner workings of the Carbanak cyber gang, which stole an estimated $1 billion from banks in 25 different countries between 2013 and 2015. At the time, researchers warned that cyber criminals would begin using tools and tactics previously associated with nation-state advanced persistent threats against financial targets.

"The Carbanak gang was just the first of many. Cyber criminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that's where the money is," Golovanov said.

Use regular software tools

Metel, Gcman, and Cabanak are increasingly combining legitimate software with custom malware to carry out their operations. "Why write a log of custom malware tools, when legitimate utilities can just be as effective, and trigger far fewer alarms?" the researchers said.

While the group behind Gcman had its own malware -- compiled using the gc compiler -- it was also capable of compromising an organization with simply legitimate remote access and pen-testing tools, Golovanov said. At one bank, attackers compromised the payment gateway server and set up a task in the Cron scheduler to execute a malicious script that transferred $200 every minute -- the most Russian banks allow as an anonymous transaction -- into an account belonging to the money mule. Since the transaction orders were sent directly to the bank's upstream payment gateway, they did not show up in the bank's internal systems.

Every minute it took researchers to investigate and remove the script cost the bank $200, said Kaspersky Lab's Vladislav Roskov.

The attackers gained access to the network through a debut script on the Web server that let administrators execute commands against the SQL database. Once they had access to the network, the attackers launched Meterpreter and MiniKatz in PowerShell to spawn processes and inject commands. They also used Putty for SSH port forwarding and VNC to move laterally through the network.

The attackers were persistent; they spent two months brute-forcing the administrator password on the server. They launched the script every Saturday and attempted only three passwords per attempt. The initial compromise, however, had happened more than 1.5 years ago. The attackers waited patiently for more than a year before kicking off the transfer script, Roskov said.

Rolling back ATM transactions

Another new gang, Metel, put a novel twist on how cyber criminals empty out ATMs. "Money mules were driving from one bank to another ... They cashed out millions using one debit card," Golovanov said.

This was possible because Metel used specially crafted spear-phishing emails with malicious attachments or the Niteris exploit pack exploiting unpatched vulnerabilities in the victim's Web browser to infect a computer on the targeted bank's network. They then used various network and pentesting tools to hijack the local domain controller and move laterally through the network in search of machines used for payment card processing.

The attackers established remote access to machines with access to ATM transactions, such as call center systems or support computers. When the money mule at the ATM made a withdrawal request, that transaction showed up on the system, and the attackers canceled the transaction. The money mule had the money, the balance associated with the debit card remained unchanged, and the cycle can be repeated until the ATM is empty.

"The [attacker] was tunneling through the Internet ... and then it was 'click, click, click,' on lots of items," Golovanov said, tapping his fingers on the table.

Golovanov said the attacks were specifically designed for each targeted bank. Metel's malware used more than 30 modules with capabilities such as screenshot, keylogger, grabbing clipboard data, browser form grabber, process monitoring, remote control, and Web injections. While some of the modules were coded specifically by the Metel gang, several were borrowed from other malware, such as the Carberp banking Trojan.

Metel was a "Swiss Army knife, or Frankenstein" malware, Roskov said.

One note: Metel doesn't need a long time -- only one night -- to cash out the ATMs. "When the attackers become skilled in a particular operation, it takes them just days or a week to take what they want and run," said Golovanov.

An initial module "mini Metel" analyzed the infected system to determine "whether this particular victim was valuable to them [for attack] or not," Roskov said.

Old gang, new APT tricks

Carbanak 2.0 uses the same tools and techniques as the original Carbanak, but has a different victim profile, as it expanded the pool of potential targets beyond banks to include the budgeting and accounting departments of various organizations. Carbanak previously manipulated bank account balances, but has adopted new methods such as manipulating depository information, said Golovanov.

In one incident, the attackers modified the registration data of shareholders for the victim company to include the information of a money mule. The person who owned the account was able to withdraw the money directly. Banks regularly check balances to make sure they haven't been changed, but "no one checks registration data," Golovanov said. Financial institutions should be protecting the databases containing information about the owners of accounts, not only their balances.

Shift in techniques

The researchers declined to estimate how much money the three cyber gangs may have stolen to date, but noted they had identified almost 30 incidents connected to these gangs. They noted the gangs are still in operation, and the amount of money they could cash out depended on their networks of money mules.

The researchers also declined to identify the organizations which have been targeted by Carbanak 2.0, Metel, and Gcman, but said that the attacks appear to be limited to Russian banks for the moment. For Metel, there are "grounds to suspect the infection is much more widespread," and considering Carbanak stole $1 billion from banks in 25 different countries, Carbanak 2.0 is likely capable of jumping to other countries, they said.

The banking attacks pose a messy situation for administrators because "they have no idea what they are fighting ... all their systems are compromised," Golovanov said.

Copyright © 2016 IDG Communications, Inc.