Post-Soviet Bank Heists: A Hybrid Cybercrime Study

Today we are publishing a SpiderLabs Advanced Threat Report that details a major cyberattack targeting banks mainly located in post-Soviet states. All the attacks share a common profile and the finely tuned orchestration of the entire operation shows an innovative new technique for stealing money.

The strategy behind this attack was to manipulate the "Overdraft Limit" (OD), a critical attribute of debit cards. The overdraft limit specifies the amount of credit the owner can gain access to that is beyond their actual account balance. Not all debit cards offer OD as this depends upon the risk profile and other attributes of the account holder. The idea behind this attack worked like this:

  • Send people aka "mules" using rogue identities to branches to set up new bank accounts and request for debit cards
  • "Manipulate" the OD limit of these debit cards and remove any restrictions in the core card processing system/service
  • Transfer those recently acquired cards abroad
  • Involve other "mules" to withdraw funds from ATMs in large amounts

This hybrid attack combined both cyber and physical activities to steal money from the targeted banks. People or mules were used to open the bank account, the cyber team attacked the banking infrastructure and another team of mules was used to collect the money from ATMs located in foreign countries. The entire operation required many resources and careful coordination of these resources. Since legitimate debit cards (versus stolen cards) were used to perform the ATM transactions, and the attackers removed anti-fraud controls for those accounts, the cash-out did not trigger any alarms in the bank systems. The average attack duration was six months, including setting up new accounts, conducting the cyber-attack and withdrawing funds from ATM machines. An important feature to note is that in the final stage of the attack, manipulation of the debit cards OD limit and the withdrawals took place almost simultaneously. The same minute the first card OD limit was modified the physical card was used in another country to perform the withdrawal. Modifying a substantial number of cards required approximately 4-6 hours and at the same time all those cards were used abroad. This sophisticated coordination is a strong indicator of organized crime activities.

I want to emphasize one of the tools used after the last stage of the operation. When performing forensic investigations, you spend lot of time looking for remnants or evidence that will lead you to additional evidence and so on. This allows forensic investigators to build the sequence of events for the cybercrime along with its associated timeline. In this investigation, after we started analyzing the transactions we backtracked to identify one by one all the different systems compromised and used for malicious activities. You keep moving back until you hit one or more endpoints outside the bank's infrastructure which may then be used to detect adversaries. At one point we identified an internal system that had nothing to do with the card processing infrastructure but was leveraged for lateral movement and appeared to be the originating point of all the internal connections.

We immediately asked for a copy of this endpoint. The IT team agreed to provide a copy but cautioned us not to expect much as this system had become "unavailable" immediately after the attack. Nobody expected to see a connection between the attack and the failure of that system because there was no obvious correlation between them. When we received a copy of that system we discovered that the file system was corrupted and OS boot or file viewing was not possible.

Code1
OS not found!

After experimenting with several tools, it was clear that the MBR was corrupted or destroyed. At this point we used the tool TestDisk, a powerful open source data recovery software capable of fixing or recovering partition tables. Using TestDisk we were able to get the file system ready for further inspection. By correlating the timeline of events against the series of actions that led to the file system corruption we quickly identified a process called "dropper.exe" executed seconds before the last termination of the operating systems. This file was also deleted upon execution but was easily recovered.

Deeper investigation indicated the suspicious file was likely used to wipe evidence from the crime scene. This specialized malware "dropper.exe" was designed to render the OS unbootable. Upon execution, the malware corrupts the system's MBR, deletes itself and then executes an immediate system restart.

This executable drops a DLL file named "xuidll.dll" in the Windows System32 directory and adds a Winlogon registry key for persistence. The purpose of the dropped DLL is to wipe out the Master Boot Record (MBR) when a specific trigger condition is met.

This executable first drops a file xuidll.dll in the %windir%\System32 directory. This DLL exports two functions:

  1. install: This function is responsible for installing persistence on the target system using the following registry key.
  2. on_load: This function checks if specific conditions are met. These conditions include the existence of a certain key in the registry and that the date and time of November 25 10:30:00 am (or later) are met. When these conditions are met it wipes the system's MBR. It remains a mystery why such a condition was incorporated into the code.

The following code checks if the specific date and time condition is met:

Code 2
Code to check whether MBR should be wiped (or not)

Code 3
Code to wipe the system MBR

This file is not yet publicly known in VirusTotal or other similar services, which is another strong indicator of targeted operations and organized crime actors. The use of this tool demonstrates that the attackers were highly motivated to wipe their tracks clean by creating additional obstacles for investigative procedures.

Hashes of the file provided below:

Hash Type

Value

MD5

7617dcef38fc5a2a6d6c31a7ef91961d

SHA-1

95180c3ec55775d5fa007a51593e29f9416bb6ef

SHA256

DF8948696BB8759EDE500A6A27CE788F1438D1A57F114709D7239865C728B22C

SSDeep

48:ZttGHldpS2oJ+seovteNJzMXEVmXmh7zp00J6CzW3d95gSjiaqqRD9SdoBM:ZDmkb5eo1ekEVmXOzxJLW3qsiaRUqe

Closing Thoughts

This set of attacks demonstrates that cyber criminals continue to innovate at an astonishing rate. In this case it was clearly demonstrated that criminal organizations can quickly identify weaknesses in processes such as new account creation and take advantage of them in a stealthy and efficient manner.

As soon as the attackers gained access to the infrastructure they performed network mapping and privilege escalation activities that allowed them to take on the role of a low privileged insider. Organizations need to expand their defensive security strategy to assume that they have "already been compromised" and actively search for threats to detect and minimize damage. This is known as Threat Hunting and helps businesses detect existing adversaries moving laterally within their infrastructures and mitigate these threats before they have a chance to realize their full potential.

Click here to read the full report.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.