By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
10alert.com10alert.com10alert.com
  • Threats
    • WordPress ThreatsDanger
    Threats
    A cyber or cybersecurity threat is a malicious act that seeks to damage data, steal data, or disrupt digital life in general. Cyber threats include…
    Show More
    Top News
    Equifax hacked — what can you do?
    12 months ago
    A wave of Telegram hacks hits: How to protect your account
    12 months ago
    Hijacking online accounts through voicemail
    12 months ago
    Latest News
    Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
    5 days ago
    Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
    6 days ago
    Two PHP Object Injection Vulnerabilities Fixed in Essential Blocks
    7 days ago
    Agent Tesla’s Unique Approach: VBS and Steganography for Delivery and Intrusion
    1 week ago
  • Fix
    Fix
    Troubleshooting guide you need when errors, bugs or technical glitches might ruin your digital experience.
    Show More
    Top News
    For 0-day vulnerabilities in Windows, temporary patches
    11 months ago
    Windows 11 22H2 (build 22621.317) outs in the Release Preview Channel
    12 months ago
    How to avoid problems installing Windows 11 22H2
    12 months ago
    Latest News
    How automatically delete unused files from my Downloads folder?
    7 months ago
    Now you can speed up any video in your browser
    7 months ago
    How to restore access to a file after EFS or view it on another computer?
    8 months ago
    18 Proven Tips to Speed Up Your WordPress Site and Improve SEO | 2023 Guide
    8 months ago
  • How To
    How ToShow More
    Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
    Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
    17 hours ago
    Cloudflare account permissions, how to use them, and best practices
    Cloudflare account permissions, how to use them, and best practices
    17 hours ago
    Announcing Cloudflare Incident Alerts
    Announcing Cloudflare Incident Alerts
    17 hours ago
    Welcome to Birthday Week 2023
    Welcome to Birthday Week 2023
    2 days ago
    A new wave of innovation with Edge, your AI-powered browser
    3 days ago
  • News
    News
    This category of resources includes the latest technology news and updates, covering a wide range of topics and innovations in the tech industry. From new…
    Show More
    Top News
    How to find out who is listening to you and how to turn it off?
    11 months ago
    The most convenient way to find music from TV shows, movies and games
    11 months ago
    Easter egg “Unicorn” in Firefox
    11 months ago
    Latest News
    How to use image layers on Paint for Windows 11
    6 days ago
    How to disable Copilot on Windows 11 (completely)
    2 weeks ago
    How to blur image background in Photos for Windows 11
    2 weeks ago
    How to hide text from screenshots on Snipping Tool for Windows 11
    2 weeks ago
  • Glossary
  • My Bookmarks
Reading: How three criminal groups — Metel, GCMAN and Carbanak 2.0 — stole millions dollars from dozens of banks
Share
Notification Show More
Aa
Aa
10alert.com10alert.com
  • Threats
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
  • Threats
    • WordPress ThreatsDanger
  • Fix
  • How To
  • News
  • Glossary
  • My Bookmarks
Follow US
AppsThreatsWordpress Threats

How three criminal groups — Metel, GCMAN and Carbanak 2.0 — stole millions dollars from dozens of banks

Vitus White
Last updated: 13 October
Vitus White 4 years ago
Share
8 Min Read

In 2015 we saw the rise of cybercriminals who rob banks directly. Several groups have mastered APT tools and techniques, dipping their hands into the “pockets” of at least twenty-nine big Russian banks.

Contents
ATMs at the end of a gunCunning criminalsThe return of CarbanakI work in a bank. What should I do?

The victims asked Kaspersky Lab for assistance and our Global Research and Analysis Team got down to work. The investigation revealed three separate groups of hackers who inflicted multiple millions in terms of financial damage to the banks. At the Security Analyst Summit 2016 experts from GReAT came out with an investigation report. For safety sake names of the victims have not been disclosed.

It begins #TheSAS2016 pic.twitter.com/T8ez0m3tEW

— Katie Moussouris (@k8em0) February 8, 2016

ATMs at the end of a gun

A banking Trojan with the melodic-sounding name Metel (also known as Corkow) was initially discovered in 2011: at that time the malware was hunting users of online banking systems. In 2015 the criminals behind Metel took aim at banks, specifically ATM machines. Using their savvy and a malicious campaign, these criminals turned their common credit cards into limitless ones. Imagine printing money, but even better.

How did they do it?

Dozens of banks lose millions to cybercriminals attacks

The criminals successively infected computers of bank employees either with the help of spear phishing emails that included malicious executable files or through targeting a browser vulnerabilities. Once inside the network they used legitimate software to hack other PCs until they reached the device they were looking for — the one that had access to money transactions. For example, these were PCs of call center operators or the support team.

APT Predictions for 2016: There will be no more APTs! Oh, wait… https://t.co/mLC5zQqjzK

— Kaspersky (@kaspersky) November 20, 2015

As a result, each time when criminals picked up the money from a card of the compromised bank in an ATM of another bank, infected system automatically rolled back the transactions. That’s why the balance on the cards remained the same, allowing the cybercriminal to withdraw money limited only by the amount of cash in the ATM. The criminals made similar cash-outs at different ATM machines.

What is phishing and why should you care? Find out https://t.co/eNlAvarhAy #iteducation #itsec pic.twitter.com/EJc6vW8YUX

— Kaspersky (@kaspersky) December 11, 2015

As far as we know, the gang is relatively small and consists of up to ten people. Part of the team speaks Russian and we’ve detected no infections outside Russia. The hackers are still active and looking for new victims.

Cunning criminals

Criminals from GCMAN group hustled through a similar operation, but instead of robbing ATMs they’ve transferred money to e-currency services.

To get into the network, GCMAN members used spear phishing emails with malicious attachments. They penetrated the devices of HR and accounting specialists and then waited until the system administrator logs into the system. Sometimes they moved the process along by crashing Microsoft Word or 1C (a program used for accounting that is very popular in Russia). As the user called for help and the system administrator came to solve the problem, criminals would steal the admin’s password.

#KLReport RT @jeffespo: . @Kaspersky Security Bulletin. #Spam and #phishing in 2015 via @Securelist https://t.co/zhDYsDekAh #netsec

— Kaspersky (@kaspersky) February 5, 2016

Then GCMAN members laterally travelled through the bank’s corporate network until they found a device, which could quietly transfer money to different e-currency services. In some organizations criminals even did it with the help of legitimate software and common penetration testing tools, like Putty, VNC and Meterpreter.

This is how a victim can lose $200 per minute #bankingAPT #TheSAS2016 pic.twitter.com/jEYjuqeh7U

— Eugene Kaspersky (@e_kaspersky) February 8, 2016

These transactions were made via a cron script , which automatically transferred small sums every minute. This was to the tune of roughly $200 at a time, as this is the upper limit for anonymous financial transactions in Russia. It’s noteworthy that the thieves were very careful. In one case they quietly stayed in the network for a year and half, stealthy hacking lots of devices and accounts.

As far as we know, GCMAN group is very small and includes only one or two members, who appealingly speak Russian.

Kaspersky Lab cybersecurity #predictions for 2016 – https://t.co/1JFA8qRBm9 #KL2016Prediction #infosec #netsec pic.twitter.com/LjGxVMG7xV

— Kaspersky (@kaspersky) December 9, 2015

The return of Carbanak

The Carbanak group has been performing acts on the Internet since 2013. It occasionally disappears and eventually comes back with a new hacking plan. Recently Carbanak’s victims profile has been broadened. It now targets financial departments of any organization of interest, not only banks. This group has already stolen millions from different companies all over the world. After that they laid low for a while and came back four months ago with a new plan.

To hack and steal these criminals use typical APT-like tools and methods. Spear phishing campaign enables initial infection of the corporate network: a deceived employee opens an email attachment and installs malware, developed by Carbanak.

Full report on the #Carbanak APT is now live http://t.co/KRmjD1GhyL via @Securelist pic.twitter.com/5OMzJE0DgS

— Kaspersky (@kaspersky) February 16, 2015

Once a computer is compromised, criminals seek the access to a system administrator account and then use stolen credentials to hack the domain controller and steal money from banking accounts or even change data about a company’s owner.

As far as we know, Carbanak is an international group, which includes criminals from Russia, China, Ukraine and other European countries. The gang consists of dozens of people. You can read further about Carbanak in this post.

I work in a bank. What should I do?

If you work at a financial organization, you have to be vigilant. As it’s clear from the above mentioned examples, one day you can turn out to be that user who accidentally invites cybercriminals into the office. You don’t want to ponder what would happen if you were that person. To avoid that, we advise you read the following articles:

  • Why phishing works and how to avoid it
  • Why it’s necessary to update software
  • How not to become a victim of a Trojan.

In conclusion we’d like to add that Kaspersky Lab solutions detect and disarm all known malware, created by Carbanak, Metel and GCMAN.


Source: kaspersky.com

Translate this article

TAGGED: Malware, Microsoft, Microsoft Office, Networking, Phishing, PoC, Security, Software, Split tunneling, Threats, Vulnerabilities
Vitus White October 13, 2022 September 30, 2019
Share This Article
Facebook Twitter Reddit Telegram Email Copy Link Print

STAY CONECTED

24.8k Followers Like
253.9k Followers Follow
33.7k Subscribers Subscribe
124.8k Members Follow

LAST 10 ALERT

Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
Apps 17 hours ago
Cloudflare account permissions, how to use them, and best practices
Cloudflare account permissions, how to use them, and best practices
Apps 17 hours ago
Announcing Cloudflare Incident Alerts
Announcing Cloudflare Incident Alerts
Apps 17 hours ago
Welcome to Birthday Week 2023
Welcome to Birthday Week 2023
Apps 2 days ago
A new wave of innovation with Edge, your AI-powered browser
Windows 3 days ago

You Might Also Like

Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
Apps

Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)

17 hours ago
Cloudflare account permissions, how to use them, and best practices
Apps

Cloudflare account permissions, how to use them, and best practices

17 hours ago
Announcing Cloudflare Incident Alerts
Apps

Announcing Cloudflare Incident Alerts

17 hours ago
Welcome to Birthday Week 2023
Apps

Welcome to Birthday Week 2023

2 days ago
Show More

Related stories

How to upgrade to Windows 11 23H2 with Installation Assistant
Critical Vulnerability in Forminator Plugin
How to blur image background in Photos for Windows 11
How to download official Windows 11 23H2 ISO file
PHP Object Injection Vulnerability in Flatsome Theme
How to download Windows 11 22H2 ISO after 23H2 releases
Previous Next

10 New Stories

Curator can help you with PC Game Pass picks
Cloudflare Email Security now works with CrowdStrike Falcon LogScale
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 11, 2023 to September 17, 2023)
Exploring Winrar Vulnerability (CVE-2023-38831) | McAfee Blog
How to use image layers on Paint for Windows 11
New! Rate Limiting analytics and throttling
Previous Next
Hot News
Switching to Cloudflare can cut your network carbon emissions up to 96% (and we’re joining the SBTi)
Cloudflare account permissions, how to use them, and best practices
Announcing Cloudflare Incident Alerts
Welcome to Birthday Week 2023
A new wave of innovation with Edge, your AI-powered browser
10alert.com10alert.com
Follow US
© 10 Alert Network. All Rights Reserved.
  • Privacy Policy
  • Contact
  • Customize Interests
  • My Bookmarks
  • Glossary
Go to mobile version
adbanner
AdBlock Detected
Our site is an advertising supported site. Please whitelist to support our site.
Okay, I'll Whitelist
Welcome Back!

Sign in to your account

Lost your password?