Monday, November 25, 2024
HomeSecurity NewsA new Hacker Group 'MoneyTaker' uncovered by Group-IB Attacking Banks in the...

A new Hacker Group ‘MoneyTaker’ uncovered by Group-IB Attacking Banks in the USA and Russia

Published on

A new Hacker Group ‘MoneyTaker’ uncovered by Group-IB targetting financial institutions and law firms in the USA, UK, and Russia. They are very successful in targetting a number of banks in different countries and they remain anonymous.

Security researchers from Group-IB uncovered the operations and the Hacker Group found targetting mainly on card payments including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US).

They remain anonymous by constantly changing their methods and tools to bypass security products and to remove their tracks after completing their attack.

Also Read: Top 5 hackers Groups that made the Invisible Internet as a Background

- Advertisement - SIEM as a Service

1.5 years of Silent Hacker Group Operations – MoneyTaker

They remain hidden for almost 1.5 years, their first operation was in 2016 and they targetted First Data’s “STAR” network operator portal.

According to Group-IB investigation, the group conducted 10 attacks in 2016, 6 attacks on US banks, 1 on UK banks and 2 On Russia Banks, another 1 attacks on US service provider. In 2017 8 US banks 1 law firm and 1 Russian bank targeted.

Using Group-IB Threat intelligence researchers able to identify the relationship between the incidents tools used and unique account for transactions and the most important findings with the privilege escalation tools compiled based on codes presented in ZeroNights 2016 Russian security conference.

Hacker Group

Exfiltration by the group

They use to exfiltrate the internal bank documents such as admin guides, internal regulations to understand the bank architecture and to prepare for attacks.Group-IB provided details to Interpol and Europol for further investigation.

For launching attacks, they used they used their self-written as well as the borrowed tools, Screenshotter’ and ‘keylogger’ to capture desktop screenshots and keystrokes. MoneyTaker 5.0 which substitutes malicious program for auto replacement of payment data.

To ensure their persistence they used fileless malware which resides only in RAM memory and destroyed after the system reboot.

In Group-IB investigation “an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.”

In addition, to prevent the C&C communication they employ SSL certificates for MoneyTaker with famous brands Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.

They legitimately opened or purchased cards from the bank whose IT framework they had hacked. Then they withdraw cash from ATMs – with already enacted cards traveled to another country and sat tight for the operation to start.

In the wake of getting into the card processing system, the assailants removed or increased money withdrawal limits for the cards held by the mules and the average loss will be $500,000 USD.

Latest articles

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting...

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ...

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to...

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

Critical PDF.js & React-PDF Vulnerabilities Threaten Millions Of PDF Users

A new critical vulnerability has been discovered in PDF.js, which could allow a threat...

LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely From Any Browser, Anywhere

LayerX, pioneer of the LayerX Browser Security platform, today announced $24 million in Series...