Security researchers shed light on the Russian-speaking cybercriminal group MoneyTaker, which was reported to have perpetrated cyberattacks against financial organizations in the U.S. and Russia. The group reportedly stole as much as $10 million from at least 20 card payment and inter-bank transfer systems.
MoneyTaker is a cybercriminal group named after the custom malware they use to gain unauthorized access to their target’s workstations that connect to machines handling financial transactions. MoneyTaker’s modus entails hijacking these systems and employing a network of mules who withdraw the cash from automated teller machines (ATMs).
MoneyTaker has been operating for at least 18 months. They’ve also breached the systems and networks of credit unions, financial services, a law firm, and a software provider. Researchers note that they’re also expanding their targets, probing enterprises in Latin America and trying to compromise SWIFT’s systems. Last year, Bangladesh’s central bank fell victim to a SWIFT-related attack, losing at least $81 million from the heist.
[Security 101: Business Process Compromise]
MoneyTaker mainly used fileless malware. These don’t involve downloading and writing files on an affected machine’s local disks. Instead, they are executed in the system’s memory or reside in the registry for persistence. Typical fileless attacks include injecting malicious code into an existing process, or by running scripts through tools like PowerShell. The cybercriminal group Lurk was one of the first to use this technique, letting them siphon over $45 million from financial organizations.
Fileless threats aren’t as visible as traditional malware. They can blend into normal network traffic, for instance, hide behind a legitimate system administration task, and leave fewer footprints. Researchers note that the group was able to sneak their way into their targets' systems until a programming error left behind code artifacts that ultimately blew their cover.
MoneyTaker also abused Metasploit, a penetration testing tool, to conduct its attacks. After gaining access to their target’s network, MoneyTaker will work to gain administrator privileges and ultimately control the network. Their command-and-control communications are encrypted by misusing certificates with names from multinational/high-profile businesses, such as Bank of America and Microsoft. The group also used point-of-sale malware and banking Trojans.
In the last quarter of 2016, fileless malware surged by 33% compared to the first quarter. It’s bound to make more waves, as we’ve already seen this adapted by familiar threats—ransomware, cryptocurrency-miners, and backdoors, to name a few. Here are some defensive measures enterprises can adopt to mitigate these kinds of threats:
Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally-identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.