A Russian company contacted the Kaspersky Lab, asking her to investigate an incident where more than $ 130.000 is almost stolen from her bank account. The company's representatives suspected that behind this incident malicious software was hiding, with its experts Kaspersky Lab to confirm it from the very first days of the survey.
- The digital criminals "infected" the company's computers, sending one Email which contained a malicious attachment, which seemed to come from a Public Finance Service.
- Για να αποκτήσουν απομακρυσμένη πρόσβαση στον υπολογιστή του λογιστή της εταιρείας, οι απατεώνες χρησιμοποίησαν μια τροποποιημένη version a legitimate program.
- A malicious program was used to steal money. The program included bank details Trojan Carberp, whose source code is publicly available.
- Criminals made a mistake in shaping Command & Control (C&C) servers allowing their specialists Kaspersky Lab to discover them IP addresses other computers that are "infected" and warn their owners of the threat.
The bank that works with the target company blocked the attempt to place the $ 130.000 transaction. However, digital criminals managed to successfully carry a $ 8.000 transfer, as this was too small to trigger an "alert" to the bank and no additional confirmation was required from the client's accountant.
The tools used by digital criminals
The Global Emergency Response Team's experts Kaspersky Lab they received from the company a picture of the computer hard drive that had been attacked. After research, her experts Kaspersky Lab they soon identified a suspicious email sent in the name of the Public Finance Service, which requested the immediate Mission κάποιων εγγράφων. Ο κατάλογος των απαιτούμενων εγγράφων βρισκόταν σε ένα συνημμένο έγγραφο Word. Το έγγραφο αυτό είχε «μολυνθεί» με ένα exploit πρόγραμμα που εκμεταλλευόταν την ευπάθεια CVE-2012-0158. The program was activated as soon as the document was opened. Then, he shot another malicious program into the victim's computer.
On the hard drive of the affected computer, experts identified a modified version of a legitimate program that offers remote access to computers. These programs are usually used by accountants or by IT managers. However, the version of the program found on the computer had been modified to hide its presence in the "infected" system. Its products Kaspersky Lab block this program, which is code-named "Backdoor.Win32.RMS".
However, this was not the only malicious program detected on the victim's computer. Further research showed that another backdoor (Backdoor.Win32.Agent) had "come down" to the computer with the help of Backdoor.Win32.RMS. Digital criminals used it to gain remote Virtual Network Computing access to the computer. It is worth mentioning that bank details of Trojan Carberp have been identified in Backdoor.Win32.Agent. The Carberp source code was published earlier this year.
After gaining control of the computer, the digital criminals created an illegal command payments in the remote banking system. To verify the order, they used the IP address of the accountant's computer, which was deemed trustworthy by the bank. But how did digital criminals get their hands on the codes used by the accountant for transactions? The experts continued their investigation and found another malicious program, Trojan-Spy.Win32.Delf. This was the keylogger that intercepted data entered from the keyboard. In this way, the digital criminals obtained the accountant's password and were able to proceed with the illegal transaction.
Additional victims
When the research was near its final stage, its experts Kaspersky Lab they discovered another strange fact. All the malware involved in the attack was managed by C&C servers, whose IP addresses belonged to the same subnet. During the implementation of the subnet, cybercriminals hit a bug that allowed its experts to Kaspersky Lab to discover IP addresses and other computers that were "infected" with Trojan-Spy.Win32.Delf. In most cases, it turned out that these computers belong to small and medium-sized businesses. OR Kaspersky Lab immediately contacted the owners of the "infected" computers and warned them of the threat.
"From a technical point of view, we can not say that this incident is an example of an attack that focuses on a particular country, even though it was in Russia. In fact, this kind of digital crime varies a little from country to country. Throughout the world, most businesses use Windows and Microsoft Office versions that may have vulnerabilities that have not been addressed patch. There are also very small differences in the way of interaction between financial departments and banks. This makes it easier for digital criminals to steal money through remote banking systems, "said Mikhail Prokhorenko, Global Emergency Response Team malware analyst Kaspersky Lab.
To reduce the risk of stealing money from online bank accounts, its experts Kaspersky Lab advise businesses using these systems to adopt reliable and multifactorial credentials (eg use of special proofs, disposable passwords provided by the bank, etc.). It is also recommended to immediately and regularly update the software installed on corporate computers (this is particularly important for computers used in financial directories), installing security solutions, training employees around the signs of attacks and responding immediately against such incidents.
More information about the incident and its research Kaspersky Lab are available in Mikhail Prokhorenko's article on Securelist.com.
