A Russian company contacted the Kaspersky Lab, asking her to investigate an incident where more than $ 130.000 is almost stolen from her bank account. The company's representatives suspected that behind this incident malicious software was hiding, with its experts Kaspersky Lab to confirm it from the very first days of the survey.
- The digital criminals "infected" the company's computers, sending one Email which contained a malicious attachment, which seemed to come from a Public Finance Service.
- To gain remote access to the company's accountant's computer, crooks used a modified version of a legitimate program.
- A malicious one program was used to steal the money. The program included banking information Trojan Carberp, whose source code is publicly available.
- Criminals made a mistake in shaping Command & Control (C&C) servers allowing their specialists Kaspersky Lab to discover them IP addresses other computers that are "infected" and warn their owners of the threat.
Η bank who works with the targeted company, blocked the attempt to make the $130.000 transaction. However, the digital criminals were able to successfully carry out a transfer of $8.000, as this amount was too small to cause an "alarm" at the bank and no additional confirmation was required from the customer's accounting department.
The tools used by digital criminals
The Global Emergency Response Team's experts Kaspersky Lab they received from the company a picture of the computer hard drive that had been attacked. After research, her experts Kaspersky Lab they soon spotted a suspicious email that was sent to the name of the Public Treasury, which was requesting the direct sending of some documents. The list of required documents was in an attached Word document. This document was "infected" with a exploit program exploiting vulnerability CVE-2012-0158. The program was activated as soon as the document was opened. Then, he shot another malicious program into the victim's computer.
On the hard drive of the infected computer, experts found a modified version of a legitimate program that offers remote access to computers. These programs are usually used by accountants or IT administrators. However, the version of the program found on the computer had been modified to hide its presence on the "infected" system. The producthers Kaspersky Lab block this program, which is code-named "Backdoor.Win32.RMS".
However, this was not the only malicious program detected on the victim's computer. Further research showed that another backdoor (Backdoor.Win32.Agent) had "come down" to the computer with the help of Backdoor.Win32.RMS. Digital criminals used it to gain remote Virtual Network Computing access to the computer. It is worth mentioning that bank details of Trojan Carberp have been identified in Backdoor.Win32.Agent. The Carberp source code was published earlier this year.
After they got control of the computer, digital criminals created an illegal payment order in the remote banking system. To verify the order, they used the IP address of the accountant's computer, which was considered trustworthy by the bank. But how did the digital criminals get in their hands the codes used by the accountant for transactions? Experts have continued their research and identified another malicious program, Trojan-Spy.Win32.Delf. This was the keylogger that copied the data that was input from the keyboard. In this way, digital criminals extracted the accountant's password and were able to proceed to the illegal transaction.
Additional victims
When the research was near its final stage, its experts Kaspersky Lab they discovered another strange fact. All the malware involved in the attack was managed by C&C servers, whose IP addresses belonged to the same subnet. During the implementation of the subnet, cybercriminals hit a bug that allowed its experts to Kaspersky Lab to discover IP addresses and other computers that were "infected" with Trojan-Spy.Win32.Delf. In most cases, it turned out that these computers belong to small and medium-sized businesses. OR Kaspersky Lab immediately contacted the owners of the "infected" computers and warned them of the threat.
"From a technical point of view, we cannot say that this incident is an example of a country-focused attack, even though it occurred in Russia. In fact, this type of digital crime varies little from country to country. Around the world, most businesses use versions of Windows and Microsoft Office, which may contain unpatched vulnerabilities patch. There are also very small differences in the way of interaction between financial departments and banks. This makes it easier for digital criminals to steal money through remote banking systems, "said Mikhail Prokhorenko, Global Emergency Response Team malware analyst Kaspersky Lab.
To reduce the risk of stealing money from online bank accounts, its experts Kaspersky Lab advise businesses using these systems to adopt reliable and multifactorial credentials (eg use of special proofs, disposable passwords provided by the bank, etc.). It is also recommended to immediately and regularly update the software installed on corporate computers (this is particularly important for computers used in financial directories), installing security solutions, training employees around the signs of attacks and responding immediately against such incidents.
More information about the incident and its research Kaspersky Lab are available in Mikhail Prokhorenko's article on Securelist.com.
