A New Hacker Group -> MoneyTaker <- Steals Millions from US and Russian Banks

A New Hacker Group -> MoneyTaker <- Steals Millions from US and Russian Banks

A new Hacker Group ‘MoneyTaker’ uncovered by Group-IB targetting financial institutions and law firms in the USA, UK, and Russia. They are very successful in targetting a number of banks in different countries and they remain anonymous.

Researchers named this new group MoneyTaker, based on the name attackers gave to one of their hacking utilities.

Security researchers from Group-IB uncovered the operations and the Hacker Group found targetting mainly on card payments including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).

To take full control of the operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. The group uses Metasploit to conduct following activities:

1 Network reconnaissance

2. search for vulnerable applications

3. exploit vulnerabilities,

4. escalate systems privileges

5. collect information.

MoneyTaker stole a whopping $3 million from three Russian financial institutions while a sum of $500,000 was stolen from banks in the United States. But, the group is not limiting itself to money or banking sector, in fact, MoneyTaker also targeted financial software vendors and law firms.

“Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US,” says the report compiled by Group-IB.

Researchers confirmed that MoneyTaker targeted 20 companies with 1 in the UK, 3 in Russia and 16 in the US. All those attacks went unreported and undetected since the group used publically available tools for the operations.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide, and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” said Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence.

Attackers studied bank networks by stealing documentation files
Evidence collected by Group-IB suggests attackers intentionally searched and stole internal documentation files to learn about bank operations in preparation for future attacks.

In some cases, attackers also stole documents on SWIFT, another inter-banking money transfer system, and files on OceanSystems’ FedLink, a card processing system widely deployed across Latin America.

Now, experts believe Latin America banks and banks utilizing the SWIFT system are in MoneyTaker's crosshairs. The SWIFT team issued a report last month with recommendations on how banks could improve their security.

In the wake of getting into the card processing system, the assailants removed or increased money withdrawal limits for the cards held by the mules and the average loss will be $500,000 USD.