GCMAN: At the Security Summit Security Analyst Summit (SAS 2016) held in Tenerife, Spain, Kaspersky researchers uncovered a new cybercriminal group.
The group is called GCMAN and targets Russian Banks.
The nickname came from the GCC (GNU Compiler Collection), the compiler used by the team to create the custom-made malware their.
The distribution of the malicious software γινόταν μέσω spear-phishing e-mail που αποστέλλονται σε άτομα-wrenches through the organization chart of the bank.
If these people open the malicious RAR file that is attached to the e-mail, their computer is infected with the group's malware.
This malware is designed specifically for moving within the bank's IT infrastructure. He is actively looking for financial transaction servers using penetration testing tools such as Meterpreter, Putty, and VNC to gain access to the systems.
Μόλις ανακαλύψει μηχανήματα που κάνουν συναλλαγές, το κακόβουλο λογισμικό χρησιμοποιεί ένα απλό cron script που αρχίζει να στέλνει 200 δολάρια το λεπτό σε διάφορους λογαριασμούς ψηφιακών νομισμάτων, τους οποίους controlν βέβαια οι προγραμματιστές του malware.
The cron script of GCMAN was discovered in error
Kaspersky reports the script was accidentally discovered by a bank employee who encountered GCMAN malware and managed to stop it before executing a transaction.
Immediately thereafter, Kaspersky researchers discovered that the entire computer network of the bank that executed transactions contained malicious software. The infection was carried out 18 months ago on a computer.
The hackers used the machine to attack 70 other computers on the bank's network, and violate 56 until they accessed what they were looking for. Eighteen months later, they returned to place the cron script on the server and begin withdrawals. But it seems that luck was not on their side.