17 July 2018
Register today

Security experts warn of new breed of bank malware

09 February 2016  |  13150 views  |  0 Moscow, Russia

A Russian hacking group is infecting bank IT systems with malware that lets it hide fraudulent ATM transactions by automatically rolling back the withdrawals so that balances appear unchanged.

According to Kaspersky Labs, the Metel malware was caught in the wild last summer when a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions.

Cards belonging to its customers were making withdrawals from ATMs belonging to other banks, cashing out huge sums of money while their balances remained untouched. The victim bank didn’t realise this until it tried to recoup the money withdrawn from the other banks’ ATMs.

Kaspersky says that the malware was being used exclusively by the Metel cybergang, which infects bank corporate networks via e-mail before gaining access to the money-processing system and automating the rollback of ATM transactions. Gang members drove around several Russian cities at night, making withdrawals from ATMs belong to different banks, emptying the machines' cassettes.

(Images from Kaspersky Lab)

Kaspersky says that it found Metel in more than 30 financial institutions, but cleaned up the networks "before any major damage could be done".

The Metel attacks are part of what Kaspersky warns is an increasing trend among cybercrooks to adopt the tools and tactics of nation-state backed advanced persistent threats (APTs) in order to rob banks.

The firm has also identified a second Russian group, called GCMAN which is using similar techniques to Metel to infect banks via spear-phishing and then attempt to transfer money to e-currency services.

Once inside a bank's network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement until they find a machine that can send money to e-currency services without alerting other banking systems.

The crooks stayed in the network of one victim for a-and-a-half years before activating the theft. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia. Every minute, a Cron scheduler fired a malicious script, and another sum was transferred to an e-currency accounts belonging to a money mule.

Meanwhile, the Carbanak malware - which last year Kaspersky claimed was used to steal up to a billion dollars from 100 banks worldwide in an unprecedented cyber heist by a gang of hackers - has been rebooted and is now being used not just to target banks but the budgeting and accounting departments of other firms.

Sergey Golovanov from Kaspersky Labs says: "Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks. The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is."

While Russia may be a hotbed of cybercrime, authorities there have recently won a victory. According to a Reuters report, in November cops raided offices associated with a Moscow film distribution and production company as part of a crackdown on a hacking group.

Since the raid, experts say that a password-stealing software program known as Dyre — believed to be responsible for tens of millions of dollars in losses at banks — has not been deployed.

Comments: (0)

Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Malware found at 250 Hyatt hotels

Malware found at 250 Hyatt hotels

15 January 2016  |  7787 views  |  2 comments | 7 tweets | 11 linkedin
Cops break up ATM jackpotting gang

Cops break up ATM jackpotting gang

07 January 2016  |  8108 views  |  0 comments | 2 linkedin
British banks lose £20 million to Dridex malware

British banks lose £20 million to Dridex malware

14 October 2015  |  6413 views  |  0 comments | 8 tweets | 9 linkedin
Brazilian malware kingpin outed as 20-year-old student

Brazilian malware kingpin outed as 20-year-old student

03 July 2015  |  6161 views  |  0 comments | 6 tweets
Hackers nab $1 billion in global cyber heist

Hackers nab $1 billion in global cyber heist

16 February 2015  |  9073 views  |  0 comments | 11 tweets | 12 linkedin

Related blogs

Create a blog about this story (membership required)
Visit https://secure.vasco.comVisit info.nice.comVisit http://go.jumio.com/finextraAd

Top topics

Most viewed Most shared
Handelsbanken trials micro contactless cardsHandelsbanken trials micro contactless car...
10385 views comments | 19 tweets | 30 linkedin
Metro Bank opens developer portalMetro Bank opens developer portal
9348 views comments | 5 tweets | 14 linkedin
Anything Visa can do...Mastercard takes time outAnything Visa can do...Mastercard takes ti...
8713 views comments | 6 tweets | 14 linkedin
Citi to streamline corporate receivables with HighRadiusCiti to streamline corporate receivables w...
7735 views comments | 1 tweets | 5 linkedin

Featured job

Competitive base, double ote, benefits
New York City, NY - USA

Find your next job