17 October 2017
visit www.response.ncr.com

Security experts warn of new breed of bank malware

09 February 2016  |  12676 views  |  0 Moscow, Russia

A Russian hacking group is infecting bank IT systems with malware that lets it hide fraudulent ATM transactions by automatically rolling back the withdrawals so that balances appear unchanged.

According to Kaspersky Labs, the Metel malware was caught in the wild last summer when a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions.

Cards belonging to its customers were making withdrawals from ATMs belonging to other banks, cashing out huge sums of money while their balances remained untouched. The victim bank didn’t realise this until it tried to recoup the money withdrawn from the other banks’ ATMs.

Kaspersky says that the malware was being used exclusively by the Metel cybergang, which infects bank corporate networks via e-mail before gaining access to the money-processing system and automating the rollback of ATM transactions. Gang members drove around several Russian cities at night, making withdrawals from ATMs belong to different banks, emptying the machines' cassettes.

(Images from Kaspersky Lab)

Kaspersky says that it found Metel in more than 30 financial institutions, but cleaned up the networks "before any major damage could be done".

The Metel attacks are part of what Kaspersky warns is an increasing trend among cybercrooks to adopt the tools and tactics of nation-state backed advanced persistent threats (APTs) in order to rob banks.

The firm has also identified a second Russian group, called GCMAN which is using similar techniques to Metel to infect banks via spear-phishing and then attempt to transfer money to e-currency services.

Once inside a bank's network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement until they find a machine that can send money to e-currency services without alerting other banking systems.

The crooks stayed in the network of one victim for a-and-a-half years before activating the theft. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia. Every minute, a Cron scheduler fired a malicious script, and another sum was transferred to an e-currency accounts belonging to a money mule.

Meanwhile, the Carbanak malware - which last year Kaspersky claimed was used to steal up to a billion dollars from 100 banks worldwide in an unprecedented cyber heist by a gang of hackers - has been rebooted and is now being used not just to target banks but the budgeting and accounting departments of other firms.

Sergey Golovanov from Kaspersky Labs says: "Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks. The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is."

While Russia may be a hotbed of cybercrime, authorities there have recently won a victory. According to a Reuters report, in November cops raided offices associated with a Moscow film distribution and production company as part of a crackdown on a hacking group.

Since the raid, experts say that a password-stealing software program known as Dyre — believed to be responsible for tens of millions of dollars in losses at banks — has not been deployed.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Malware found at 250 Hyatt hotels

Malware found at 250 Hyatt hotels

15 January 2016  |  7603 views  |  2 comments | 7 tweets | 11 linkedin
Cops break up ATM jackpotting gang

Cops break up ATM jackpotting gang

07 January 2016  |  7474 views  |  0 comments | 2 linkedin
British banks lose £20 million to Dridex malware

British banks lose £20 million to Dridex malware

14 October 2015  |  6162 views  |  0 comments | 8 tweets | 9 linkedin
Brazilian malware kingpin outed as 20-year-old student

Brazilian malware kingpin outed as 20-year-old student

03 July 2015  |  5859 views  |  0 comments | 6 tweets
Hackers nab $1 billion in global cyber heist

Hackers nab $1 billion in global cyber heist

16 February 2015  |  8813 views  |  0 comments | 11 tweets | 12 linkedin

Related blogs

Create a blog about this story (membership required)
visit www.vasco.com Register now

Top topics

Most viewed Most shared
Ripple looks to drive bank adoption with $300m XRP rebate programmeRipple looks to drive bank adoption with $...
14389 views comments | 11 tweets | 3 linkedin
Taiwan's Far Eastern International Bank suffers malware attackTaiwan's Far Eastern International Bank su...
13045 views comments | 16 tweets | 22 linkedin
Monzo fends off suitors as current account upgrade beginsMonzo fends off suitors as current account...
8948 views comments | 17 tweets | 14 linkedin
Swift positive on blockchain, but big challenges remainSwift positive on blockchain, but big chal...
7881 views comments | 15 tweets | 20 linkedin
Ripple blockchain network hits 100-member markRipple blockchain network hits 100-member...
7588 views comments | 13 tweets | 13 linkedin

Featured job

Competitive base, commission, benefits
London, UK

Find your next job