SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
21 Mar 2016

Group behind FinCERT has stolen billions of dollars

The group responsible for the Phishing attacks in Russia earlier this week started by targeting banking clients, before looking towards the bigger prize by going after the banks themselves.

Since August of 2015, the group has conducted 13 successful attacks resulting in losses of more than $27.4M. The group is called Buhtrap.

Earlier this morning, Salted Hash examined their most recent attack, where they targeted Russian banks by pretending to be FinCERT – the security arm of the Russian Central Bank. In a report released on Thursday, Russian security firm Group-IB examines the history Buhtrap and the group's successful run on the banking industry in Russia. "In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual," the Group-IB report explains.

Another reason Buhtrap has been so successful is the general lack of awareness concerning targeted attacks against the financial sector, something that FinCERT was created to address. When it comes to their successes, Buhtrap has plenty to show for their efforts. In August 2015, the group managed to make off with 25.6 million RUB ($375,617 USD), followed by a campaign in October 2015 that netted them 99 million RUB ($1.4 million USD).

In November 2015, the group conducted two campaigns that resulted in 75 million RUB ($1.1 million USD) in losses. But last December was their biggest score to date. The group conducted five attacks, taking down 571 million RUB ($8.3 million USD). They also conducted two successful attacks in January and two more a month later. In all, the group has stolen 1.86 billion RUB ($27.4M USD) from banks in Russia.

There's a method to the group's madness too, helping them remain successful in the long run. The group will register typo domains or domains that are familiar to the victim, and from there they'll rent servers and configure them properly to avoid spam traps or filters.

The malware they use is customized, designed to detect security software and other security tools, while staying focused on detecting files or traces of banking operations. If such operations are detected, the malware will download a legitimate remote access tool (LiteManager) and the group will use that to create fraudulent transfer orders.

In February 2016, a developer for Buhtrap leaked the source code for their malware after he wasn't paid for his work. The source code was complete, but was an earlier revision compared to the code used for the more recent attacks. Still, Group-IB fears that its distribution "may trigger the increase in the number of attacks using this malware conducted by other groups."

The full Group-IB report has extensive information on Buhtrap, indicators of compromise, as well as several examples of their Phishing lures and campaign methods. But the key point is that nothing they're doing is overly sophisticated, it's just coordinated. "Absolutely all targeted attacks against banks could have been detected and stopped at any stage," the report concludes. "The key method of intrusion into the bank’s network is sending phishing email with an attachment containing the exploit, document with macros, or executable file in the password protected archive."

Tags:
information leaks Russia
Source:
SCO Online
2263
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015