The Daily Swig Web security digest

MoneyTaker syndicate exposed after 18 months of silent ops

James Walker | 12 December 2017 at 15:01

Hacking group has been targeting banks in the US and Russia.

Over the past 18 months, a group of Russian-speaking cybercriminals have netted around $10 million through successful attacks carried out against dozens of financial institutions around the world, researchers have revealed.

The secretive ‘MoneyTaker’ group has been linked to 20 successful cyber-attacks since spring 2016. These include 14 attacks on US banks, one attack on a US service provider, one attack on a bank in the UK, and three attacks against Russian financial institutions.

While the hackers have taken strong measures to eliminate their traces after completing their operations, researchers at Moscow-based forensics lab Group-IB said they have discovered connections between all 20 incidents throughout 2016 and 2017.

According to Group-IB, MoneyTaker has been utilizing both borrowed and self-written tools, including a custom application with screenshot and keylogger capabilities, and the MoneyTaker v5.0 malware tool, after which the group has been named.

Connections were identified in the tools used, the distributed infrastructure, and the withdrawal scheme – which involves gaining access to a bank’s card processing system and removing overdraft limits, allowing a mule to withdraw cash from ATMs.

Group-IB’s analysis of the attack infrastructure has shone some light on MoneyTaker’s intelligence-gathering operations. The threat actors were found to be continuously exfiltrating internal documentation to learn about banking operations in preparation for future attacks.

The contents and geography of data obtained by Group-IB indicate that banks in Latin America may be targeted next, the researchers said.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” said Dmitry Volkov, co-founder and head of intelligence at Group-IB.

“Incidents occur in different regions worldwide, and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future.”