Smart banking trojan allows you to withdraw an almost unlimited amount of money at ATMs

Kaspersky Lab discovered and analyzed an interesting malware that targets banks and banking networks. This is a whole software package consisting of about 30 different modules that can be unnoticed in the banking network for a long time. The Metel system is called (there is another name - Corkow). The software itself is not a novelty, but now Kaspersky Lab has made a number of presentations on this topic. One of the most interesting objects to study is just Metel.

One of its modules is engaged in the fact that it programmatically “rolls back” the last completed transactions on ATMs. Thus, attackers with a compromised bank card can withdraw virtually unlimited amounts of money from ATMs owned by other banks. The withdrawal amount depends only on the amount of cash in the system. And since the module constantly returns the card balance to its original value, the limit is not exceeded by attackers, and the system does not block the card.

Last year, such a scheme helped attackers withdraw millions of rubles in Russia in one night. Metel’s penetration into the network of banks is simple and ordinary - bank employees are encouraged to open a website that distributes the malware download module in one way or another. When an infected file is opened, the trojan enters the bank system. Further, representatives of the group that developed Metel are engaged in network research and compromising other PCs in the network of the victim bank. Social engineering is often used, as the company described in its blog .


Image: Kaspersky Lab

Using the same malware, hackers managed to significantly increase the volatility of the ruble in February 2015, as already reported at Geektimes .

The complexity of the software used by cybercriminals is constantly increasing. Crackers use a variety of techniques, techniques and varieties of software to achieve the goal.

Kaspersky Lab also described other examples of attacks targeting financial institutions:

• The GCMAN group, earned its nickname because it uses the GCC compiler to create its own software . As in the case of Blizzard, group members begin an attack on the bank with specially prepared letters to infect banking networks. After that, ordinary tools like Putty, VNC, Meterpreter are used to expand access. In one of the well-known cases, members of the group had access to the bank’s network for about 18 months, and only after that the group withdrew some funds. After the start of the scripts, a transfer of funds began at a rate of about $ 200 per minute (a special slowdown was used so that the bank's systems did not respond to withdrawals too quickly). The funds were transferred to the account of a dummy person who was supposed to withdraw money.
• Carbanak 2.0, a malware system used to gain access to financial institutions by cybercriminals. After that, information about the owners of the company was added to the system. The added persons were dummies - as in the previous case, these people withdrew funds from the accounts. The "owners" of the financial institution had no problems with withdrawing money.

Now all these groups and systems are active, and continue to work. As previously reported, only with the help of Corkow in Russia networks of 250 financial organizations and business companies were infected. How many victims in fact, no one knows.