Anti-Malware , Data Breach , Data Loss
Malicious Infrastructure and Malware Tactics Recall Anthem AttackAttackers have targeted an unknown number of Russia's 700 banks with malware, in part by pretending to be a cybercrime-fighting division of the country's central bank.
See Also: An Introduction to Second-Generation User Behavior Analytics
Moscow-based information security firm Kaspersky Lab revealed the attacks March 16, saying they began March 15, and that the related attack website domain names were first registered on March 14.
"In principle, the fact and manner of carrying out this attack is nothing new," according to a Russian-language blog post from security researcher Alexander Gostev at Kaspersky Lab, who adds that "reports of the theft of tens of millions of rubles from the accounts of a bank" seem to appear weekly.
But Gostev says this incident "deserves special attention" because of its technical and social-engineering ingenuity. In particular, the attackers pretended to be FinCERT - a special unit of the Central Bank of Russia launched last year specifically to fight cybercrime and track security incidents that affect the country's financial services sector. They did that in part by disguising their email to look like an official FinCERT document, including using an accurate-looking code, "20160314 - 001," for the supposed security alert.
Attackers also emailed targets from "This email address is being protected from spambots. You need JavaScript enabled to view it." - the domain was registered on March 14 - when in reality the correct email address for FinCERT would be "This email address is being protected from spambots. You need JavaScript enabled to view it.," Gostev notes. Whoever registered the fake domain has hidden their contact details using an Australian firm called Privacy Protect.
Gostev says the attack email included an attached Microsoft Word document that includes a Visual Basic macro (see Banking Malware Taps Macros). The document instructs the recipient to activate the macro - it cannot execute automatically - after which it attempts to connect with a command-and-control server at "view-atdmt.com," which was another just-registered domain. If the connection is successful, the macro downloads and executes a 3 MB file - named "fincert.cab" - which has been digitally signed using a legitimate certificate from the Moscow aviation parts supplier "SPEC 2000," and which installs LiteManager 3.4 software, giving the attackers remote-control access to the infected system, he says.
The digital certificate may have been stolen or else registered by the attackers. "It remains a mystery why, by whom and how [SPEC 2000] was issued a digital certificate to sign executable files," Gostev says.
To date, it's not clear how many banks may have fallen victim to these attacks. The attackers likely sent their email to hundreds of recipients, Gostev says, noting that as of March 16, the free malware-scanning service VirusTotal reported that the malicious file they were using had been tested more than 70 times, and uploaded from 56 different sources.
Parallels with Anthem, Bangladesh Bank Attacks
While the attack against Russian banks might not seem technically complex, that doesn't mean it might not have been effective. Indeed, the February $100 million theft from the central bank of Bangladesh's reserve account at the New York Fed began with attackers somehow breaching the Bangladesh central bank's systems and installing malware in January, Bloomberg reports. To date, $81 million remains missing.
Another interesting takeaway is how the Russian bank attackers' tactics parallel those used to breach U.S. health insurer Anthem - formerly known as Wellpoint - which exposed personally identifiable information for nearly 80 million people in the United States. That attack has been attributed by threat-intelligence vendor Crowdstrike to a Chinese APT group that it calls Deep Panda, a.k.a. Kung Fu Kittens and Shell_Crew (see Anthem Attribution to China: Useful?).
Notably, Anthem's attackers also used an attack infrastructure that was designed to mirror the real thing, having registered such Wellpoint-esque domain names as "extcitrix.we11point.com and "www.we11point.com," according to security firm ThreatConnect. In addition, they also used phishing emails that included attached malware that had been signed with a legitimate certificate.
There's absolutely no indication that whoever targeted the Russian banks hacked Anthem or the central bank of Bangladesh. Rather, the takeaway is that cybercriminals are continuing to refine their tactics, in this case by using a "looks like the real thing" attack infrastructure and savvy social engineering to try and gain remote access to Russian banks' systems.
"This incident proves two things: FinCERT's activities are interesting to criminals, [and criminals] are more widely read than the banks," says Artem Sychev, deputy head of information security at the Bank of Russia, via Twitter.