Security firm Kaspersky Lab today revealed details on a trio of new financial industry attacks that are stealing money from banks and ATMs. One of the campaigns, Carbanak 2.0, is an evolution of an attack that Kaspersky first reported in 2015, while the Metel and GCMAN attacks are new.
There is no direct connection between the Carbanak, Metel and GCMAN attacks, according to Kaspersky. The Metel and GCMAN campaigns are “copycats” of Carbanak in some respects, explained Sergey Golovanov, principal security researcher with the Global Research and Analysis Team at Kaspersky Lab.
Kaspersky first revealed the operations of Carbanak in February 2015, and the same group using the same tools created Carbanak 2.0, Golovanov said. After Kaspersky first reported on Carbanak, the group went under the radar but reappeared later in the year with functionality that allowed it to attack point-of-sale (POS) targets.
“Carbanak 2.0 also has a different victim profile, moving beyond banks to target budgeting and accounting departments, using the same [advanced persistent threat]-style tools and techniques,” Golovanov said.
The Metel attack campaign is also targeting financial institutions, though it has specific functionality for ATM withdrawals. Metel is able to roll back an ATM transaction automatically so that an attacker can steal money from a victim’s account, but the rollback will reset the victim’s account balance, tricking the bank into thinking that an account balance is unchanged, even after an attacker has made a withdrawal.
Golovanov, who explained that “metel” means “snowstorm” in Russian, described the steps and tools involved in exploiting a financial institution. “The Metel group uses some of the modules of the Corkow malware to infect a bank’s corporate network and then move laterally to gain access to targeted machines within the bank’s computer systems,” he said. “The initial infection starts with spear-phishing emails that carry malicious executables, or through targeting a browser’s vulnerabilities on the client’s side with the Niteris exploit pack.”
The initial infection malware has the primary goal of gathering information about a targeted system. The malware sends out info about the computer, processes and even takes screenshots to help cyber-criminals evaluate the value of a target.
“If a target is interesting—for example, if it’s a bank or a large organization—criminals upload full-scale Metel malware,” Golovanov explained. “It’s highly modular and functional malware: During the forensics, we discovered over 30 modules—some of them adapted from other malware samples, and some of them specially crafted.”
While Metal uses malware to infect its victims, the GCMAN financial campaign is using legitimate penetration testing tools to exploit banks. Among the tools used by GCMAN are Meterpreter, a payload delivery tool that is part of the open-source Metasploit penetration testing framework.
While Carbanak, Metel and GCMAN are having an impact on financial services firms, the effect is limited to just Russia, according to Kaspersky’s investigation. Golovanov commented that in 2015, Kaspersky Lab researchers conducted incident response investigations for 29 organizations located in Russia and infected by these three groups. The groups still remain active and the investigation into their activities is ongoing, he added.
“So far no attacks outside Russia have been identified,” Golovanov said. “Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are advised to proactively check for infection.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.