Sophisticated ‘MoneyTaker’ group stole millions from Russian & US banks

The IT security researchers at Moscow based cybercrime prevention firm Group-IB has identified the presence of a dangerous and sophisticated group of cybercriminals that has so far stolen more than $10 million from banking and financial sectors.

Dubbed MoneyTaker by researchers, the group has in last 18 months conducted 20 successful attacks in Russia, United Kingdom, and the United States. The group targeted card processing systems like AWS CBR (Russian Interbank System) and purportedly SWIFT (SWIFT international bank messaging service in the United States.

Sophisticated 'MoneyTaker' group stole millions from Russian & US banks

On average, MoneyTaker stole a whopping $3 million from three Russian financial institutions while a sum of $500,000 was stolen from banks in the United States. But, the group is not limiting itself to money or banking sector, in fact, MoneyTaker also targeted financial software vendors and law firms.

“Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US,” says the report compiled by Group-IB.

Researchers confirmed that MoneyTaker targeted 20 companies with 1 in the UK, 3 in Russia and 16 in the US. All those attacks went unreported and undetected since the group used publically available tools for the operations.

“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide, and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations,” said Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence.

However, MoneyTaker first caught the attention when Group-IB’ researchers tracked the group’s activities after it stole money from a US bank in 2016 by gaining access to First Data’s “STAR” network operator portal.

“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.”

“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”

Sophisticated 'MoneyTaker' group stole millions from Russian & US banks

Furthermore, researchers noted links between all 20 attacks conducted by the group in 2016 and 2017 including using the same tools, similarly distributed infrastructure, one-time-use components in the attack toolkit and spying on the target after a successful attack.

To evade detection, the group uses fileless malware, and SSL certificates generated using names of popular institutions such as Microsoft, Yahoo, Bank of America, Federal Reserve Bank, and Microsoft. Moreover, MoneyTaker uses a distributed infrastructure and delivers payloads to the victim with IP addresses in MoneyTaker’s whitelist.

MoneyTaker takes advantage of borrowed and self-written tools such as it developed an application equipped with keylogging and screenshot capabilities. The app can take screenshots and capture keystrokes from a targeted device and steal content.

To take full control of the operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. The group uses Metasploit to conduct following activities:

1 Network reconnaissance

2. search for vulnerable applications

3. exploit vulnerabilities

4. escalate systems privileges

5. collect information

Another astonishing discovery by Group-IB researchers regarding MoneyTaker is that it uses privilege escalation tools based on codes presented at the Russian cybersecurity conference ZeroNights 2016. In some attacks, the group used Citadel and Kronos banking Trojans. In this case, Kronos was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.

Remember, in August this year, FBI arrested WannaCry hero Marcus Hutchins for “creating and distributing Kronos banking trojan.” Kronos stole banking credentials from around the world but primarily targeted the United Kingdom and North America.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.