Threat report details large-scale ‘hybrid’ cyberattack targeting banks across eastern Europe

Banks in several post-Soviet states have been hit by a major hacking scheme thought to have netted an international organized crime syndicate millions of dollars.

The strategy around the hack – which was identified by Trustwave’s white hat research division, SpiderLabs, and published in a threat report yesterday – was to manipulate the overdraft limit of debit cards, allowing actors to withdraw large sums of money from ATMs.

According to the report, mules have been using rogue identities to set up new bank accounts across eastern Europe. Hackers then remove any restrictions in the debit card processing system, effectively giving the accounts a limitless overdraft facility.

Once the scheme is in place, the debit cards are sent overseas, and other mules withdraw illicit funds from ATMs in large amounts.

“This hybrid attack combined both cyber and physical activities to steal money from the targeted banks,” said Thanassis Diogos, forensic investigator and incidence response team leader at SpiderLabs. “The entire operation required many resources and careful coordination of these resources.”

Diogos explains that, since legitimate debit cards were used to perform the ATM transactions, and the attackers removed anti-fraud controls for those accounts, the cash-out did not trigger any alarms in the banking systems.

“The average attack duration was six months, including setting up new accounts, conducting the cyber-attack, and withdrawing funds from ATM machines,” he stated.

In its investigation of the scheme, which is thought to have netted criminals at least $40 million since March, SpiderLabs said it was able to restore a corrupted Master Boot Record (MBR) in one of the bank’s internal systems. The group then identified a specialized piece of malware, ‘dropper.exe’, which deletes itself upon execution.

“This executable drops a DLL file named ‘xuidll.dll’ in the Windows System32 directory and adds a Winlogon registry key for persistence,” Diogos said. “The purpose of the dropped DLL is to wipe out the MBR when a specific trigger condition is met.”

While the contents of the DLL file are not yet publicly known in VirusTotal or similar services, Diogos said the methods used to infiltrate banking infrastructure underlined the growing sophistication of hacking groups around the world.

“The use of this tool demonstrates that the attackers were highly motivated to wipe their tracks clean by creating additional obstacles for investigative procedures,” he said. “Criminal organizations can quickly identify weaknesses in processes such as new account creation and take advantage of them in a stealthy and efficient manner.”

Diogos added: “Organizations need to expand their defensive security strategy to assume that they have already been compromised and actively search for threats to detect and minimize damage.”