MoneyTakers stole $10 million from banks during the last 18 months

Hackers stole millions of dollars from 20 organizations in the United States and Russia

Hackers group called MoneyTakers stole $10 million from banks and financial organizations in the United States, Russia, and the United Kingdom. Moscow-based security firm Group-IB^[1] tell that at least 20 financial companies and ATM networks were compromised during the past 18 months.

The Russian-speaking hackers group was named as Money Takers due to the name of their used fieless malware to attack banks. Researchers tell that criminals analyzed targeted banks’ documentation in order to learn how they operate to launch successful attacks.

Criminals stole the money from America’s banks by gaining access to the card processing system. Then they opened accounts, removed the limits from the bank cards and withdraw the money from ATMs using mules.^[2]

According to the researchers, 16 organizations in the United States, 3 Russia banks and one bank in the United Kingdom suffered from the MoneyTakers attacks since the first campaign was launched in spring 2016 when criminals hit an unnamed bank in the US.

Currently, security experts are expecting MoneyTakers to target banks or financial organizations in Latin America. They might also be trying to break into the Swift international bank messaging service.

MoneyTakers started their illegal project in 2016

The first attack was held in May 2016, when hackers group stole money from 10 organizations in the United States, United Kingdom, and Russia. According to the research, criminals stolen from the American banks about $500,000. Meanwhile, targeted Russian organizations experienced more than $3 million loss.

Back then criminals attacked 6 banks in and one service provider in California, Florida, Oklahoma, Illinois, Missouri, Colorado, South and North Carolina, Virginia and Utah. Two UK-based IT companies and two Russian banks were among the victims as well.

This year, in 2017, criminals continued stealing money from the US and Russian institutions. 8 banks and 1 law firm^[3] in the United States suffered from the attack. Though, only one Russian bank was under the assault.

The hilly skilled hackers did a preparatory work before withdrawing the money. First of all, they analyzed documentation of the targeted institution. Then they installed fileless malware using sophisticated methods and strategies. Finally, they observed the actions of compromised banks.

Sophisticated infiltration strategy allows bypassing detection

MoneyTakers used a few tools and strategies to launch a successful attack, such as:

• Metasploit and PowerShell Empire pentesting tools to find security weaknesses and flaws.
• Citadel^[4] and Kronos^[5] banking trojans to steal financial information.
• NirCmd tool that allows hackers to execute remote commands.^[6]
• Other their own created tools to complete specific tasks.

PowerShell and VBS scripts allowed installing and running malware on the system. However, they used advanced techniques to avoid detection by security software. Thus, they used SSL certificates of Microsoft Corporation, Bank of America and other well-known companies in order to communicate with the Command and Control server to complete nasty tasks.

Finally, once the job is done, cyber criminals hide their traces. Thus, it was hard to find and catch them, even though millions of dollars were cashed out. Criminals choose small community banks as their main targets because they have lower defense mechanism and are easier to hack into.