Bank Robbery: Cyber Criminals Steal $1Billion

A cybercrime outfit stealing from as many as 10 banks in Russia, Armenia and Malaysia is alleged to have stolen possibly as much as $1 billion worldwide from financial organisations.

The new group has been called Silence by researchers at Kaspersky Lab who recently published a report about the criminals’ activities, which bear a sharp resemblance to Carbanak. But the relationship apparently ends at imitation.

“They are not Carbanak,” said Kaspersky Lab researcher Sergey Lozhkin. “They are using some of the same techniques at some points, but that’s it.”

Kaspersky Lab said it did not have information on the gang’s success, nor how much it had stolen to date. The attacks, however, are ongoing, the researchers said.

The researchers called the group’s attacks “targeted,” using spear phishing and a number of different means to maintain persistence on a bank’s internal network, monitor employee and system activities, and eventually stealing money.

“We have seen this trend growing recently, as more and more slick and professional APT-style cyber-robberies emerge and succeed,” Lozhkin said. “The most worrying thing here is that due to their, in-the-shadow, approach these attacks may succeed regardless of the peculiarities of each bank’s security architecture.”

The spear-phishing emails contain attachments that eventually download and execute a dropper that reaches out to the attacker’s infrastructure. The backdoor is used to send system information and execute malicious code that uploads data, steals credentials and initiates tasks such as screen recording, which was a hallmark of Carbanak.

Silence, like Carbanak, uses these screen grabs to essentially create a video recording of daily activity on employees’ computers, amassing knowledge about internal processes before stealing money.

“We saw that technique before in Carbanak, and other similar cases worldwide,” Kaspersky Lab said in its report.

Kaspersky Lab said that the Silence gang’s spear-phishing emails are sent from an already-compromised financial network.

“The cyber-criminals using Silence send spear-phishing emails as initial infection vectors, often using the addresses of employees of an already infected financial institution, with a request to open an account in the attacked bank,” Kaspersky Lab’s report said. “The message looks like a routine request. Using this social engineering trick, it looks unsuspicious to the receiver.”

Silence also makes use of a proprietary Microsoft online help format called Microsoft Compiled HTML Help, or CHM. CHM files are interactive and can run JavaScript, for example, which the attackers use to redirect victims to external URLs.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed. Once the attachment is opened by the victim, the embedded .htm content file (“start.htm”) is executed,” Kaspersky Lab said. “This file contains JavaScript, and its goal is to download and execute another stage from a hardcoded URL.”

Once the dropper is unpacked and executed from the attacker’s command and control server, a number of payload modules are dropped that spy on systems and employees.

One of those modules is the screen monitor, which uses the Windows GDI and API tools to record screen activity using the CreateCompatibleBitmap and GdipCreateBitmapFromHBITMAP functions, Kaspersky Lab said.

Threatpost

You Might Also Read:

Phishing Is  The Top Cyberattack Vector In 2017:

Russian Cyber Gang Arrested By …. Russia:

Thieves Drain Protected Bank Accounts:

 

« NotPetya Much Worse Than WannaCry
North Korea Denies Involvement In WannaCry »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Patchstack

Patchstack

Patchstack (formerly WebARX) is a web application security platform, which allows digital agencies and developers to monitor, protect and maintain their websites.

Texplained

Texplained

Texplained specializes in security audits of microchips to identify vulnerabilities and protect against invasive cyber attacks.

Luxembourg Institute of Science & Technology (LIST)

Luxembourg Institute of Science & Technology (LIST)

LIST is a mission-driven Research and Technology Organisation. Areas of research include IT and aspects of IT security.

SenseOn

SenseOn

SenseOn’s multiple threat-detection senses work together to detect malicious activity across an organisation’s entire digital estate, covering the gaps that single point solutions create.

AimBrain

AimBrain

AimBrain tools detect and prevent fraud, faster and more accurately than ever before.

Keepnet Labs

Keepnet Labs

Keepnet Labs is a phishing defence platform that provides a holistic approach to people, processes and technology to reduce breaches and data loss and presents anti-phishing solutions.

Cybertonica

Cybertonica

Cybertonica is a FinTech company which detects and prevents fraudulent transactions and reduces risk for financial services organisations.

Encore Media Group

Encore Media Group

Encore Media Group provide an international enterprise technology event series exploring IoT, Blockchain AI, Big Data, 5G, Cyber Security and Cloud.

aDolus Technology

aDolus Technology

aDolus delivers a robust solution for safeguarding against counterfeit or malicious software and firmware in mission-critical systems.

Charities Security Forum (CSF)

Charities Security Forum (CSF)

The Charities Security Forum is the premier membership group for information security people working for charities and not-for-profits in the UK.

Hazy

Hazy

Hazy specialises in financial services, helping some of the world’s top banks and insurance companies reduce compliance risk.

Open Quantum Safe (OQS)

Open Quantum Safe (OQS)

The Open Quantum Safe (OQS) project is an open-source project that aims to support the development and prototyping of quantum-resistant cryptography.

J.S. Held

J.S. Held

J.S. Held is a global consulting firm providing technical, scientific, and financial expertise across all assets and value at risk.

Colt Technology Services

Colt Technology Services

Colt Technology Services (Colt) is a global digital infrastructure company which creates extraordinary connections to help businesses succeed.

ABPSecurite

ABPSecurite

ABPSecurite is a leading value-added distributor and a network performance solutions provider.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.