A Russian company contacted Kaspersky Lab asking to investigate an incident when more than $130,000 was nearly stolen from its corporate account. The company representatives suspected malware was behind this incident. That suspicion was confirmed in the very first days of investigation.
• Cybercriminals infected the company’s computers by sending an email with a malicious attachment that claimed to come from the state tax office;
• To gain remote access to the accountant’s computer within the corporate network, the users used a modified version of a legitimate program;
• A malware program was used to steal the money. It included elements of the banking Trojan Carberp whose source code is publically available;
• The cybercriminals made a mistake in configuring their C&C servers, enabling Kaspersky Lab’s specialists to discover the IP addresses of other infected computers and warn their owners of the threat.
The bank which serviced the company targeted by the financial cybercriminals blocked the attempted $130,000 transaction. However, the cybercriminals did successfully make an $8,000 payment since that amount was too small to raise any alarms at the bank and did not require additional confirmation from the client organization’s accountant.
The exploit. The experts at Kaspersky Lab’s Global Emergency Response Team (GERT) received an image of the attacked computer’s hard drive from the attacked organization. They studied this and soon detected a suspicious email message sent in the name of the state tax office, asking to provide some documents immediately. The list of required documents was provided in an attached Word document. That document was infected with an exploit to vulnerability CVE-2012-0158; this exploit activated when the document was opened, and downloaded another malicious program to the victim computer.
Two Trojans. On the hard drive of the infected computer GERT specialists detected a modified version of a legitimate program designed to provide remote access to computers. These programs are commonly used by accountants or system administrators. However, the program version detected on the victim computer was modified to conceal its presence in the infected system: its icon in Windows Taskbar was hidden, the registry key where its settings were stored was modified, and the GUI display was disabled. Kaspersky Lab products block this program with the verdict ‘Backdoor.Win32.RMS.’
However, this was not the only malicious program detected on the victim computer. Further investigation showed that another backdoor (Backdoor.Win32.Agent) was downloaded to the victim computer with the help of Backdoor.Win32.RMS The cybercriminals used this to gain remote Virtual Network Computing (VNC) access to the victim computer. Remarkably, elements of the banking Trojan Carberp were detected in the Backdoor.Win32.Agent code. Carberp’s source code was published earlier this year.
With the help of Backdoor.Win32.RMS, the cybercriminals downloaded the Trojan Backdoor.Win32.Agent to the victim computer. With Backdoor.Win32.Agent, they were able to seize control of the computer. Thus the cybercriminals created an illegitimate payment order in the remote banking system and verified it with the IP address of the accountant’s computer which was seen as trusted by the bank. But how did the cybercriminals get hold of the passwords used by the accountant to make a transaction? The experts continued their investigation and detected another malicious program, Trojan-Spy.Win32.Delf. That was the keylogger that intercepted the data entered from the keyboard. In this way, the cybercriminals stole the accountant’s password and were able to make the illegitimate transaction.
New victims. When the investigation was nearing completion, the experts discovered yet another curious fact: all the malicious programs involved in the attack were managed from C&C servers whose IP addresses belonged to the same sub-network. When rolling out this sub-network, the cybercriminals committed an error which allowed Kaspersky Lab’s experts to find out the IP addresses of other computers infected with Trojan-Spy.Win32.Delf. In most cases, these proved to be computers owned by SMBs. Kaspersky Lab promptly contacted the owners of the infected computers and warned them of the threat.
“Although this story happened in Russia, from a technical standpoint it is hardly country-specific; in fact, this type of cybercrime varies very little from country to country. All over the world most companies use versions of Windows and Microsoft Office that may contain unpatched vulnerabilities. There is also little difference between the ways companies’ financial departments interact with banks via banking services in different countries. This makes life easy for cybercriminals who steal money via remote banking systems,” said Mikhail Prokhorenko, malware analyst at Kaspersky Lab’s Global Emergency Response Team.
To reduce the risk of having your money stolen from corporate accounts, Kaspersky Lab’s experts advise organizations using remote banking systems to set up reliable multi-factor authentication (including tokens, one-time passwords provided by the bank, etc.), make sure that the software installed on corporate computers is promptly updated (this is especially relevant for the computers used in financial departments), protect such computers with a security solution, train the staff to recognize the signs of attacks and respond appropriately to such events.
A more detailed account of how this security incident was investigated by Kaspersky Lab is available in Mikhail Prokhorenko’s article at Securelist.com.
