A Russian hacking group is infecting bank IT systems with malware that lets it hide fraudulent ATM transactions by automatically rolling back the withdrawals so that balances appear unchanged.
According to Kaspersky Labs, the Metel malware was caught in the wild last summer when a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions.
Cards belonging to its customers were making withdrawals from ATMs belonging to other banks, cashing out huge sums of money while their balances remained untouched. The victim bank didn’t realise this until it tried to recoup the money withdrawn from the other banks’ ATMs.
Kaspersky says that the malware was being used exclusively by the Metel cybergang, which infects bank corporate networks via e-mail before gaining access to the money-processing system and automating the rollback of ATM transactions. Gang members drove around several Russian cities at night, making withdrawals from ATMs belong to different banks, emptying the machines' cassettes.
(Images from Kaspersky Lab)
Kaspersky says that it found Metel in more than 30 financial institutions, but cleaned up the networks "before any major damage could be done".
The Metel attacks are part of what Kaspersky warns is an increasing trend among cybercrooks to adopt the tools and tactics of nation-state backed advanced persistent threats (APTs) in order to rob banks.
The firm has also identified a second Russian group, called GCMAN which is using similar techniques to Metel to infect banks via spear-phishing and then attempt to transfer money to e-currency services.
Once inside a bank's network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement until they find a machine that can send money to e-currency services without alerting other banking systems.
The crooks stayed in the network of one victim for a-and-a-half years before activating the theft. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia. Every minute, a Cron scheduler fired a malicious script, and another sum was transferred to an e-currency accounts belonging to a money mule.
Meanwhile, the Carbanak malware - which last year Kaspersky claimed was used to steal up to a billion dollars from 100 banks worldwide in an unprecedented cyber heist by a gang of hackers - has been rebooted and is now being used not just to target banks but the budgeting and accounting departments of other firms.
Sergey Golovanov from Kaspersky Labs says: "Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks. The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is."
While Russia may be a hotbed of cybercrime, authorities there have recently won a victory. According to a Reuters report, in November cops raided offices associated with a Moscow film distribution and production company as part of a crackdown on a hacking group.
Since the raid, experts say that a password-stealing software program known as Dyre — believed to be responsible for tens of millions of dollars in losses at banks — has not been deployed.