MoneyTaker Cybercriminal Group Steals $10 Million from Financial Institutions

Security researchers shed light on the Russian-speaking cybercriminal group MoneyTaker, which was reported to have perpetrated cyberattacks against financial organizations in the U.S. and Russia. The group reportedly stole as much as $10 million from at least 20 card payment and inter-bank transfer systems.

What is MoneyTaker?

MoneyTaker is a cybercriminal group named after the custom malware they use to gain unauthorized access to their target’s workstations that connect to machines handling financial transactions. MoneyTaker’s modus entails hijacking these systems and employing a network of mules who withdraw the cash from automated teller machines (ATMs).

MoneyTaker has been operating for at least 18 months. They’ve also breached the systems and networks of credit unions, financial services, a law firm, and a software provider. Researchers note that they’re also expanding their targets, probing enterprises in Latin America and trying to compromise SWIFT’s systems. Last year, Bangladesh’s central bank fell victim to a SWIFT-related attack, losing at least $81 million from the heist.

[Security 101: Business Process Compromise]

How did MoneyTaker steal from banks?

MoneyTaker mainly used fileless malware. These don’t involve downloading and writing files on an affected machine’s local disks. Instead, they are executed in the system’s memory or reside in the registry for persistence. Typical fileless attacks include injecting malicious code into an existing process, or by running scripts through tools like PowerShell. The cybercriminal group Lurk was one of the first to use this technique, letting them siphon over $45 million from financial organizations.

Fileless threats aren’t as visible as traditional malware. They can blend into normal network traffic, for instance, hide behind a legitimate system administration task, and leave fewer footprints. Researchers note that the group was able to sneak their way into their targets' systems until a programming error left behind code artifacts that ultimately blew their cover.

MoneyTaker also abused Metasploit, a penetration testing tool, to conduct its attacks. After gaining access to their target’s network, MoneyTaker will work to gain administrator privileges and ultimately control the network. Their command-and-control communications are encrypted by misusing certificates with names from multinational/high-profile businesses, such as Bank of America and Microsoft. The group also used point-of-sale malware and banking Trojans.

[READ: The Rise of Fileless Threats that Abuse PowerShell]

What can enterprises do?

In the last quarter of 2016, fileless malware surged by 33% compared to the first quarter. It’s bound to make more waves, as we’ve already seen this adapted by familiar threats—ransomware, cryptocurrency-miners, and backdoors, to name a few. Here are some defensive measures enterprises can adopt to mitigate these kinds of threats:

  • Patch systems and software. Fileless malware piggyback on security flaws to execute with admin privileges. Regularly apply the latest patches to fill gaps that may be exploited, or employ virtual patching for unknown vulnerabilities and end-of-life/legacy systems.
  • Enforce the principle of least privilege. Fileless attacks abuse tools like PowerShell and PSExec, which makes securing them important. Microsoft, for instance, posted best practices on using PowerShell.
  • Deploy multilayered security mechanisms. Fileless malware abuse tools to bypass the system’s restrictions, such as whitelisting (where applications are prevented from executing). This can be mitigated by behavior monitoring, which blocks unusual behaviors and modifications observed in the system. Malware that execute malicious scripts and abuse system utilities can be contained in a sandbox that can also analyze their routines.
  • Secure the gateways. Fileless attacks can come from anywhere—spam email, malicious websites, vulnerabilities, and even third-party plugins. Secure the email gateway to thwart email-borne attacks; web-based threats can also be stopped by URL filtering and categorization.
  • Proactively monitor the network. Firewalls and intrusion detection and prevention systems help deter intrusions, as well as raise red flags for anomalous activities such as exfiltration attempts.
  • Regularly keep logs and record system activities. While fileless attacks may not be as visible, they can still leave behind code artifacts that can help IT/system administrators and information security professionals better understand and respond to the threat.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.