Cybercriminal Gang Used Spear-phishing to Steal 25.7M from Russian Banks

In a report published on Thursday, Russia-based security researchers divulged information about a series of attacks by a cybercrime group called Buhtrap that stole from banking institutions in Russia. Group-IB notes, “from August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 million).”

The activities of the cybercriminal gang in question were said to have been first seen in 2014, as they first set their sights on Russian bank customers until August of 2015. During this time, it was observed that they started targeting financial institutions.  The attackers used spear-phishing emails with attached malware-laced Word documents, the download of which enabled a backdoor that allowed the attackers to log keystrokes, spy on the victim’s screen, steal data, and download other malware.

The report furthers, “Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network.” Affected banks shut down their systems, causing a considerable amount of delay in services and other losses. Dubbed by the researchers as BuhtrapWorm, the worm has the capability to nest on the targeted network, provided that at least one system is infected.

As such, the group explored several methods to spread the malware, which allowed them to penetrate the systems of bank clients and corporate networks. Phishing emails were seen to be an effective ploy, either feigning legitimacy as a message from the Central Bank or as a very specific ruse that duped security specialists who are members of the “Anti-drop”club.

[Read: What is Spear-phishing and how does it work?]

During the period between May to August of 2015, compromised websites from accounting portals, legal entities, and even construction websites were used to bring banking officials and personnel to a poisoned server that hosted an exploit kit that installs the malware.

Aside from this, modified versions of legitimate software were also used to infect systems. The Ammyy website, created by developers of legitimate remote administrator software Ammyy Admin, were found to have a malicious version spiked with the Buhtrap malware.

The report also noted how Buhtrap succeeded in targeting workstations running the Automated Working Station of the Central Bank Client (AWS CBC)—free software that delivers payment documents on behalf of the Central Bank. Attackers used a loophole that allowed them to replace official payment order transactions in AWS CBC with ones that redirected payments to accounts they control.

Through these methods, Buhtrap managed to amass 1.8 billion rubles (US$25 million) in a period of six months—the highest amount stolen from a Russian bank was recorded at nearly 600 million rubles ($9 million), while the lowest was marked at 25 million rubles ($370,000).

The report highlights that the tactics employed by the gang were not sophisticated. Given strict compliance to security measures and reinforced educational programs for employees about cybersecurity, attacks like this could very well be mitigated.

The report ends, “And the most important thing: if you have detected trails of a targeted attack at any stage, you need to involve specialized companies for its analysis. Incorrect responses to the attack results in the attacker activity remaining partly undetected to enable criminals achieve their goal — to steal money.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.