A Russian company contacted Kaspersky Lab asking them to investigate an incident where more than $130,000 was nearly stolen from its corporate account. The company representatives suspected malware was behind this incident and that suspicion was confirmed in the very first days of investigation.
A Russian company contacted Kaspersky Lab asking them to investigate an incident where more than $130,000 was nearly stolen from its corporate account. The company representatives suspected malware was behind this incident and that suspicion was confirmed in the very first days of investigation.
- Cybercriminals had infected the company’s computers by sending an email with a malicious attachment that claimed to come from the state tax office
- To gain remote access to the accountant’s computer within the corporate network, the users used a modified version of a legitimate program
- A malware program was used to steal the money. It included elements of the banking Trojan Carberp whose source code is publically available
- The cybercriminals made a mistake in configuring their C&C servers, enabling Kaspersky Lab’s specialists to discover the IP addresses of other infected computers and warn their owners of the threat
The bank which serviced the company, targeted by the financial cybercriminals blocked the attempted $130,000 transaction. However, the cybercriminals did successfully take an $8,000 payment as the amount was too small to raise any alarms at the bank and did not require additional confirmation from the client organisation’s accountant.
The exploit The experts at Kaspersky Lab’s Global Emergency Response Team (GERT) received an image of the attacked computer’s hard drive from the attacked organisation. They studied this and soon detected a suspicious email message sent in the name of the state tax office, asking them to provide some documents immediately. The list of required documents was provided in an attached Word document which was infected with an exploit to the vulnerability CVE-2012-0158. This exploit was activated when the document was opened as it downloaded another malicious program to the victim computer.
Two Trojans On the infected computer’s hard drive GERT specialists detected a modified version of a legitimate program designed to provide remote access to computers. These programs are commonly used by accountants or system administrators. However, the program version detected on the victim computer was modified to conceal its presence in the infected system. Its icon in Windows Taskbar was hidden, the registry key where its settings were stored was modified, and the GUI display was disabled. Kaspersky Lab products blocked this program with the verdict ‘Backdoor.Win32.RMS.’
However, this was not the only malicious program detected on the victim computer. Further investigation showed that another backdoor (Backdoor.Win32.Agent) was downloaded to the victim computer with the help of Backdoor.Win32.RMS The cybercriminals used this to gain remote Virtual Network Computing (VNC) access to the victim computer. Remarkably, elements of the banking Trojan Carberp were detected in the Backdoor.Win32.Agent code. Carberp’s source code was published earlier this year.
With the help of Backdoor.Win32.RMS, the cybercriminals downloaded the Trojan Backdoor.Win32.Agent to the victim computer and they were able to seize control of the computer. Thus the cybercriminals created an illegitimate payment order in the remote banking system and verified it with the IP address of the accountant’s computer which was seen as trusted by the bank. But how did the cybercriminals get hold of the passwords used by the accountant to make a transaction? The experts continued their investigation and detected another malicious program, Trojan-Spy.Win32.Delf. That was the keylogger that intercepted the data entered from the keyboard. In this way, the cybercriminals stole the accountant’s password and were able to make the illegitimate transaction.
New victims When the investigation was nearing completion, the experts discovered yet another curious fact: all the malicious programs involved in the attack were managed from C&C servers whose IP addresses belonged to the same sub-network. When rolling out this sub-network, the cybercriminals committed an error which allowed Kaspersky Lab’s experts to find out the IP addresses of other computers infected with Trojan-Spy.Win32.Delf. In most cases, these proved to be computers owned by SMBs. Kaspersky Lab promptly contacted the owners of the infected computers and warned them of the threat.
“Although this story happened in Russia, from a technical standpoint it is hardly country-specific; in fact, this type of cybercrime varies very little from country to country. All over the world most companies use versions of Windows and Microsoft Office that may contain unpatched vulnerabilities. There is also little difference between the ways companies’ financial departments interact with banks via banking services in different countries. This makes life easy for cybercriminals who steal money via remote banking systems,” said Mikhail Prokhorenko, malware analyst at Kaspersky Lab’s Global Emergency Response Team.
To reduce the risk of having your money stolen from corporate accounts, Kaspersky Lab’s experts advise organisations using remote banking systems to set up reliable multi-factor authentication (including tokens, one-time passwords provided by the bank, etc.), to make sure that the software installed on corporate computers is promptly updated (this is especially relevant for the computers used in financial departments), to protect such computers with a security solution, to train the staff to recognise the signs of attacks and respond appropriately to such events.
A more detailed account of how this security incident was investigated by Kaspersky Lab is available in Mikhail Prokhorenko’s article at Securelist.com.
