The group responsible for the Phishing attacks in Russia earlier this week started by targeting banking clients, before looking towards the bigger prize by going after the banks themselves.
Since August of 2015, the group has conducted 13 successful attacks resulting in losses of more than $27.4M. The group is called Buhtrap.
Earlier this morning, Salted Hash examined their most recent attack, where they targeted Russian banks by pretending to be FinCERT – the security arm of the Russian Central Bank. In a report released on Thursday, Russian security firm Group-IB examines the history Buhtrap and the group's successful run on the banking industry in Russia. "In many respects, this group’s activity has led to the current situation where attacks against Russian banks causing direct losses in the hundreds of millions of rubles are no longer taken as something unusual," the Group-IB report explains.
Another reason Buhtrap has been so successful is the general lack of awareness concerning targeted attacks against the financial sector, something that FinCERT was created to address. When it comes to their successes, Buhtrap has plenty to show for their efforts. In August 2015, the group managed to make off with 25.6 million RUB ($375,617 USD), followed by a campaign in October 2015 that netted them 99 million RUB ($1.4 million USD).
In November 2015, the group conducted two campaigns that resulted in 75 million RUB ($1.1 million USD) in losses. But last December was their biggest score to date. The group conducted five attacks, taking down 571 million RUB ($8.3 million USD). They also conducted two successful attacks in January and two more a month later. In all, the group has stolen 1.86 billion RUB ($27.4M USD) from banks in Russia.
There's a method to the group's madness too, helping them remain successful in the long run. The group will register typo domains or domains that are familiar to the victim, and from there they'll rent servers and configure them properly to avoid spam traps or filters.
The malware they use is customized, designed to detect security software and other security tools, while staying focused on detecting files or traces of banking operations. If such operations are detected, the malware will download a legitimate remote access tool (LiteManager) and the group will use that to create fraudulent transfer orders.
In February 2016, a developer for Buhtrap leaked the source code for their malware after he wasn't paid for his work. The source code was complete, but was an earlier revision compared to the code used for the more recent attacks. Still, Group-IB fears that its distribution "may trigger the increase in the number of attacks using this malware conducted by other groups."
The full Group-IB report has extensive information on Buhtrap, indicators of compromise, as well as several examples of their Phishing lures and campaign methods. But the key point is that nothing they're doing is overly sophisticated, it's just coordinated. "Absolutely all targeted attacks against banks could have been detected and stopped at any stage," the report concludes. "The key method of intrusion into the bank’s network is sending phishing email with an attachment containing the exploit, document with macros, or executable file in the password protected archive."