Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Trend Micro solutions for BPC attacks that manipulate the Overdraft Limit of banks in Post-Soviet countries

    • Updated:
    • 25 Oct 2017
    • Product/Version:
    • Deep Discovery Inspector 3.8
    • Deep Security 10.0
    • Deep Security 10.1
    • Deep Security 9.0
    • Deep Security 9.5
    • Deep Security 9.6
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • InterScan Web Security Virtual Appliance 6.0
    • InterScan Web Security Virtual Appliance 6.5
    • OfficeScan 11.0
    • OfficeScan XG.All
    • ScanMail for Exchange 12.0
    • Worry-Free Business Security Standard/Advanced 8.0
    • Worry-Free Business Security Standard/Advanced 9.0
    • Worry-Free Business Security Standard/Advanced 9.5
    • Platform:
    • N/A N/A
Summary

THREAT INFORMATION

Multiple banks from post-Soviet countries have been breached by an organized crime group, resulting in a series of suspicious ATM withdrawal transactions and million-dollar losses — a well-planned and coordinated attack, which involves physical and cyber activities to achieve the threat actor’s goals.

The criminals behind this attack manipulate the overdraft limit of specific debit card accounts to allow further credit permissions and withdraw cash from ATM terminals located in foreign countries.

 
Overdraft Limit (OD) refers to the amount that debit card users can access beyond their current balance. Overdrafts occur when you spend more than what you have in your bank account to cover a transaction. The bank has a pre-set overdraft limit, which is the maximum credit allowed for a particular account. The threat actors take advantage of this by increasing the overdraft limit of the debit cards of rogue bank accounts.

TARGETED ATTACK CHAIN

Targeted Attack Chain

Click to enlarge

The crime operation of this attack is divided into multiple teams: Money Mules, who are group of individuals that perform the offline (physical) activities, and Cyber Criminals, who are in charge of attacking the bank’s network infrastructure.

  • Team 1: Money Mules

    This team applies for new accounts and requests for debit cards in targeted bank branches using fake identities and information. The bank issues the debit cards and the first team of money mules forwards the debit cards to the perpetrators, who are located in different countries throughout Europe.

  • Team 2: Cyber Criminals

    While the teams of money mules are performing the initial stage of the attack, a group of cyber criminals are already attacking the bank’s network infrastructure. The attack begins with a phishing email that downloads/installs a backdoor into the machine. The threat actors then abuse legitimate tools and services to perform lateral movement and asset discovery.

    The cyber criminals leverage legitimate tools and services already installed in the system, such as PowerShell and PSexec to perform lateral movement and asset discovery. It is also indicative that PuTTY Link (plink.exe) was one of the toolkits used for the lateral movement stage. Additional software, like the monitoring tool Mipko, was also installed to capture screenshots and keystrokes. This allows the attackers to study how the bank's system works, as well as to steal login credentials. Leveraging these tools allows threats actors to blend in with normal network traffic or IT/system administration tasks.

    The cyber criminal's main goal is to take control of the bank’s card management application system. Using the credentials that they were able to capture, they log into the card management application system using privileged accounts to manipulate the overdraft limit of the debit cards associated with the rogue accounts, as well as remove anti-fraud controls for these accounts.

  • Team 3: Money Mules

    The role of this group of money mules is to withdraw cash from selected ATM machines located in different cities using the debit cards of the rogue accounts.

    This is a synchronized attack i.e. the entire operation was carefully planned. The team of money mules was assigned in select ATM terminals in Europe and Russia, carrying the debit cards of the rogued bank accounts. Once the team of cybercriminals manipulates the overdraft limit, they immediately give a green light to the money mules to withdraw the cash from the ATM terminals. The manipulation of the debit cards' overdraft limit and the withdrawals take place almost simultaneously. This well-coordinated attack is a strong indication of organized crime activities.

Details
Public

TREND MICRO PRODUCT SOLUTIONS

Messaging products such as InterScan Messaging Security Virtual Appliance (IMSVA) and ScanMail for Exchange (SMEX) can block phishing emails related to this attack. Both products check for email reputation, web reputation of the embedded links, as well as file attachments and macros in MS Office documents.

Trend Micro already detects the main backdoors used for this attack using pattern 13.717.00.

TROJ_MBRWIPE.B

Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.

Predictive Machine Learning detects the backdoors used for this attack as the following:

  • Troj.Win32.TRX.XXPE002FF019

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

Web Reputation service already blocks all of the command and control servers related to this attack.

  • 192[.]52[.]167[.]228
  • 192[.]52[.]167[.]28

Deep Discovery Inspector provides traffic inspection, advanced threat detection, and real-time analysis — all purposely built for detecting targeted attacks. The following are the rules available (but not limited to) that can help detect command and control detection and lateral movement related to this attack:

  • Command and Control
    • DDI Rule ID 26: C&C callback attempt
  • Lateral Movement
    • Rule 597 - PsExec – SMB
    • Rule 1847 - PsExec - SMB - Variant 2
    • Rule 1751 - Possible PsExec Tool Detected
    • Rule 626 - Successful log on to TELNET
    • Rule 35 - Executable file dropped in administrative share - SMB

Deep Security has an IPS solution that can help monitor traffic associated to this attack (but not limited to).

  • 1006906 - Identified Usage Of PsExec Command Line Tool
  • 1002487 - SSH Client
  • 1002475 - Telnet Client
  • 1003595 - Detected Telnet Server Traffic
  • 1007114 - Portable Executable File Uploaded on SMB Share

These are legitimate applications typically used by administrators for day-to-day management tasks. However, in the hands of a cybercriminal, these tools can become powerful weapons that can be used to perform a wide array of malicious activities.

File Name: plink.exe
Description: A command-line utility for PuTTY which can be used for non-interactive SSH session to execute remote commands

File Name: netscan.exe
Description: This program can be used for lateral movement and asset discovery. It has the ability to perform ping commands, ports scanning, network shares discovery, retrieve info about network devices, among others. This tool also supports remote SSH and PowerShell command execution

File Name: mpk.exe, mpkview.exe
Description: Legitimate monitoring tool to capture screenshots and keystrokes

File Name: Psexec
Description: Microsoft Sysinternals command line based remote administration tool that allows remote execution of processes on other systems

BEST PRACTICES FOR IT ADMIN

  • User education about social engineering attacks

    User education and awareness helps improve everyone’s security posture. Organizations should conduct regular training to ensure that employees have a solid understanding of company security policy, procedure, and best practices.

  • Application Whitelisting

    A good protection for endpoints is application control a.k.a. application whitelisting. IT administrators can determine the list of programs/files/processes that can run on their network computers via application control. They can create lists based on an inventory of their existing endpoints or by category, vendor, app, or other dynamic reputation attributes.

  • Legitimate Tools and Services

    Cyber criminals are increasingly abusing legitimate tools or services already in the system. Limiting and securing the use of programs and services, such as PsExec and Powershell, can help prevent attackers from misusing these tools.

  • Network Segmentation

    Proper segmentation of networks can help defend against targeted attacks in various ways. This makes the task of lateral movement within a targeted organization’s network more difficult. Network segmentation serves as a defense-in-depth strategy that increased the effort that an attacker has to expend to successfully compromise an organization.

Premium
Internal
Rating:
Category:
Configure; Remove a Malware / Virus
Solution Id:
1118650
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.