Dozens of banks lose millions to cybercriminals attacks

Fraudsters portfolio updated: now they’ve learnt to steal money from banks directly. How did it happen?

In 2015 we saw the rise of cybercriminals who rob banks directly. Several groups have mastered APT tools and techniques, dipping their hands into the “pockets” of at least twenty-nine big Russian banks.


The victims asked Kaspersky Lab for assistance and our Global Research and Analysis Team got down to work. The investigation revealed three separate groups of hackers who inflicted multiple millions in terms of financial damage to the banks. At the Security Analyst Summit 2016 experts from GReAT came out with an investigation report. For safety sake names of the victims have not been disclosed.

ATMs at the end of a gun

A banking Trojan with the melodic-sounding name Metel (also known as Corkow) was initially discovered in 2011: at that time the malware was hunting users of online banking systems. In 2015 the criminals behind Metel took aim at banks, specifically ATM machines. Using their savvy and a malicious campaign, these criminals turned their common credit cards into limitless ones. Imagine printing money, but even better.

How did they do it?

The criminals successively infected computers of bank employees either with the help of spear phishing emails that included malicious executable files or through targeting a browser vulnerabilities. Once inside the network they used legitimate software to hack other PCs until they reached the device they were looking for — the one that had access to money transactions. For example, these were PCs of call center operators or the support team.

As a result, each time when criminals picked up the money from a card of the compromised bank in an ATM of another bank, infected system automatically rolled back the transactions. That’s why the balance on the cards remained the same, allowing the cybercriminal to withdraw money limited only by the amount of cash in the ATM. The criminals made similar cash-outs at different ATM machines.

As far as we know, the gang is relatively small and consists of up to ten people. Part of the team speaks Russian and we’ve detected no infections outside Russia. The hackers are still active and looking for new victims.

Cunning criminals

Criminals from GCMAN group hustled through a similar operation, but instead of robbing ATMs they’ve transferred money to e-currency services.

To get into the network, GCMAN members used spear phishing emails with malicious attachments. They penetrated the devices of HR and accounting specialists and then waited until the system administrator logs into the system. Sometimes they moved the process along by crashing Microsoft Word or 1C (a program used for accounting that is very popular in Russia). As the user called for help and the system administrator came to solve the problem, criminals would steal the admin’s password.

Then GCMAN members laterally travelled through the bank’s corporate network until they found a device, which could quietly transfer money to different e-currency services. In some organizations criminals even did it with the help of legitimate software and common penetration testing tools, like Putty, VNC and Meterpreter.

These transactions were made via a cron script , which automatically transferred small sums every minute. This was to the tune of roughly $200 at a time, as this is the upper limit for anonymous financial transactions in Russia. It’s noteworthy that the thieves were very careful. In one case they quietly stayed in the network for a year and half, stealthy hacking lots of devices and accounts.

As far as we know, GCMAN group is very small and includes only one or two members, who appealingly speak Russian.

The return of Carbanak

The Carbanak group has been performing acts on the Internet since 2013. It occasionally disappears and eventually comes back with a new hacking plan. Recently Carbanak’s victims profile has been broadened. It now targets financial departments of any organization of interest, not only banks. This group has already stolen millions from different companies all over the world. After that they laid low for a while and came back four months ago with a new plan.

To hack and steal these criminals use typical APT-like tools and methods. Spear phishing campaign enables initial infection of the corporate network: a deceived employee opens an email attachment and installs malware, developed by Carbanak.

Once a computer is compromised, criminals seek the access to a system administrator account and then use stolen credentials to hack the domain controller and steal money from banking accounts or even change data about a company’s owner.

As far as we know, Carbanak is an international group, which includes criminals from Russia, China, Ukraine and other European countries. The gang consists of dozens of people. You can read further about Carbanak in this post.

I work in a bank. What should I do?

If you work at a financial organization, you have to be vigilant. As it’s clear from the above mentioned examples, one day you can turn out to be that user who accidentally invites cybercriminals into the office. You don’t want to ponder what would happen if you were that person. To avoid that, we advise you read the following articles:

In conclusion we’d like to add that Kaspersky Lab solutions detect and disarm all known malware, created by Carbanak, Metel and GCMAN.