Cybercriminals tried to commit the largest bank robbery
The well-known defense company of the UK, BAE Systems , which is engaged in promising military developments, the aerospace industry, and information security, announced the results of an analysis of a large cyber attack against a bank in Bangladesh, as a result of which attackers managed to compromise the well-known international banking platform SWIFT and steal $ 81 million.
( picture Reuters )
The SWIFT platform is called the heart of the global banking system, with its help banks around the world exchange information and service payments. After the SWIFT software was compromised in a Bangladesh bank, the hackers managed to log in to the system and send a request to a US bank to transfer a large amount to a bank in the Philippines. As a result of a well-planned cyber attack, hackers planned to transfer almost a billion dollars ($ 951 million) from bank accounts.
')
Experts from BAE Systems have published a minimum cyber attack report and information on publicly available samples of malicious tools (see table below). Another unique malware sample is at the company's disposal. It contains complex mechanisms for working with the local SWIFT Alliance Access software used in the victim's system. These individual components are part of the spectrum of malicious tools that were used to conduct a cyber attack and send false instructions to the bank to complete the transaction. The tools are quite flexible, which makes it possible to use them for similar cyber attacks in the future.
Fig. Some of the malicious tools used in cyber attacks are also available on public malware sample exchange services. (BAE Systems data)
According to BAE Systems, malicious files were created by one cybercriminal or a group of individuals, however, the most valuable file is the hash 525a8e3ae4e3df8c9c61f2a49e38541d196e9228, which contains the logic of working with SWIFT software.
Fig. The general scheme of compromising SWIFT. (BAE Systems data)
It can be seen that one of the main steps of the cyber attack is to compromise the server with the installed SWIFT Alliance Software. Next, this malicious program accesses the gpca.dat configuration file, which lists the search patterns for SWIFT messages that attackers need. After that, attackers can monitor the messages processed by the server part of SWIFT.
The main goal is to gain control over SWIFT messages, in which the presence of certain text strings specified in the configuration file will be checked. From malicious messages of interest to malware, the program can extract the values of certain fields, such as transfer references, as well as SWIFT addresses for interacting with the system database. The resulting data field values are then used to remove information about specific transactions or update balance data from the system. This function of the malware worked in a cycle until 6 am on February 6, 2016. This period was enough to steal money, which occurred two days before its end. The malicious tool was designed specifically for this purpose and shows a significant level of knowledge of SWIFT Alliance Access, in addition, its authors have good skills in developing malware.
The malicious program uses the following RC4 key to decrypt the contents of its configuration file.
Fig. The general scheme of cyber attack. (BAE Systems data)
At the first stage, the malware lists all the processes running on the server. If it detects a process into which liboradb.dll is loaded, it modifies its two bytes in memory at a certain offset. Two bytes are modified with the original values 0x75 and 0x04 on the nop instruction - 0x90 and 0x90. These two bytes represent the JNZ conditional jump instruction (if not zero).
Fig. The original conditional branch instruction in the system library code. (BAE Systems data)
Fig. Corrected two nop conditional instruction in the system library code. (BAE Systems data)
As a result of this fix, the malware blocks an important check in the code of one of the liboradb.dll functions, which allows attackers to successfully pass the necessary check (validation). The library liboradb.dll itself is a component of the already mentioned SWIFT's Alliance software from Oracle. The library is responsible for the following functions:
By modifying a local instance of the SWIFT Alliance software, the malware gains the right to perform transactions on the SWIFT database through the victim's network.
The malicious program monitors SWIFT Financial Application (FIN) messages by parsing the contents of the * .prc and * .fal files from the following directories.
For more information, see baesystemsai.blogspot.ru/2016/04/two-bytes-to-951m.html
All SWIFT messages from the directories below are also tracked.
Inside messages, a search is performed for the following bank values of interest to intruders
Conclusion
A sample of malware analyzed by BAE Systems allows you to look inside the cybercrime tool of a group of hackers who planned the cyber attack on the bank. Many parts of this puzzle are still not disclosed, for example, how attackers sent fake transaction requests, as well as how attackers managed to install malware into the system and compromise the computer network. Not found the answer to the most important question: who is behind this cyber attack.
The main malicious tool from the above set of malware was designed specifically for this cyber attack on the specific infrastructure of the victim. It is also worth noting that this set will also allow attackers to further carry out similar attacks on banks. All financial institutions that in one way or another use SWIFT Alliance Access should take this case seriously and evaluate their security system.
Cybercriminals have used methods of tracing in a compromised system in such a way as to remain undetected, as well as to impede the process of investigating cyber attacks. Such a significant lesson, which was presented by the attackers, demonstrates the fact that they are using increasingly sophisticated cyber attacks against various organizations. Cyber attacks are used to intrude intruders into the internal network of such organizations. As such threats develop, organizations, banks and other network owners should keep up with the times to ensure an adequate level of security for their network infrastructure.
( picture Reuters )
The SWIFT platform is called the heart of the global banking system, with its help banks around the world exchange information and service payments. After the SWIFT software was compromised in a Bangladesh bank, the hackers managed to log in to the system and send a request to a US bank to transfer a large amount to a bank in the Philippines. As a result of a well-planned cyber attack, hackers planned to transfer almost a billion dollars ($ 951 million) from bank accounts.
')
Experts from BAE Systems have published a minimum cyber attack report and information on publicly available samples of malicious tools (see table below). Another unique malware sample is at the company's disposal. It contains complex mechanisms for working with the local SWIFT Alliance Access software used in the victim's system. These individual components are part of the spectrum of malicious tools that were used to conduct a cyber attack and send false instructions to the bank to complete the transaction. The tools are quite flexible, which makes it possible to use them for similar cyber attacks in the future.
Fig. Some of the malicious tools used in cyber attacks are also available on public malware sample exchange services. (BAE Systems data)
According to BAE Systems, malicious files were created by one cybercriminal or a group of individuals, however, the most valuable file is the hash 525a8e3ae4e3df8c9c61f2a49e38541d196e9228, which contains the logic of working with SWIFT software.
Fig. The general scheme of compromising SWIFT. (BAE Systems data)
It can be seen that one of the main steps of the cyber attack is to compromise the server with the installed SWIFT Alliance Software. Next, this malicious program accesses the gpca.dat configuration file, which lists the search patterns for SWIFT messages that attackers need. After that, attackers can monitor the messages processed by the server part of SWIFT.
The main goal is to gain control over SWIFT messages, in which the presence of certain text strings specified in the configuration file will be checked. From malicious messages of interest to malware, the program can extract the values of certain fields, such as transfer references, as well as SWIFT addresses for interacting with the system database. The resulting data field values are then used to remove information about specific transactions or update balance data from the system. This function of the malware worked in a cycle until 6 am on February 6, 2016. This period was enough to steal money, which occurred two days before its end. The malicious tool was designed specifically for this purpose and shows a significant level of knowledge of SWIFT Alliance Access, in addition, its authors have good skills in developing malware.
The malicious program uses the following RC4 key to decrypt the contents of its configuration file.
4e 38 1f a7 7f 08 cc aa 0d 56 ed ef f9 ed 08 ef
Fig. The general scheme of cyber attack. (BAE Systems data)
At the first stage, the malware lists all the processes running on the server. If it detects a process into which liboradb.dll is loaded, it modifies its two bytes in memory at a certain offset. Two bytes are modified with the original values 0x75 and 0x04 on the nop instruction - 0x90 and 0x90. These two bytes represent the JNZ conditional jump instruction (if not zero).
Fig. The original conditional branch instruction in the system library code. (BAE Systems data)
Fig. Corrected two nop conditional instruction in the system library code. (BAE Systems data)
As a result of this fix, the malware blocks an important check in the code of one of the liboradb.dll functions, which allows attackers to successfully pass the necessary check (validation). The library liboradb.dll itself is a component of the already mentioned SWIFT's Alliance software from Oracle. The library is responsible for the following functions:
- reading the path to the Alliance database from the registry;
- activation of this database;
- database backup.
By modifying a local instance of the SWIFT Alliance software, the malware gains the right to perform transactions on the SWIFT database through the victim's network.
The malicious program monitors SWIFT Financial Application (FIN) messages by parsing the contents of the * .prc and * .fal files from the following directories.
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcm \ in \
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcm \ out \
For more information, see baesystemsai.blogspot.ru/2016/04/two-bytes-to-951m.html
All SWIFT messages from the directories below are also tracked.
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ in \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ out \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcp \ unk \ *. *
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ nfzp
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ nfzf
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ fofp
[ROOT_DRIVE]: \ Users \ Administrator \ AppData \ Local \ Allians \ mcs \ foff
Inside messages, a search is performed for the following bank values of interest to intruders
"19A: Amount"
": Debit"
"Debit / Credit:"
"Sender:"
"Amount:"
FEDERAL RESERVE BANK
"D"
"C"
"62F:„
“60F:“
"60M:"
"62M:„
“Credit”
"Debit"
"64:"
"20: Transaction"
"90B: Price"
Conclusion
A sample of malware analyzed by BAE Systems allows you to look inside the cybercrime tool of a group of hackers who planned the cyber attack on the bank. Many parts of this puzzle are still not disclosed, for example, how attackers sent fake transaction requests, as well as how attackers managed to install malware into the system and compromise the computer network. Not found the answer to the most important question: who is behind this cyber attack.
The main malicious tool from the above set of malware was designed specifically for this cyber attack on the specific infrastructure of the victim. It is also worth noting that this set will also allow attackers to further carry out similar attacks on banks. All financial institutions that in one way or another use SWIFT Alliance Access should take this case seriously and evaluate their security system.
Cybercriminals have used methods of tracing in a compromised system in such a way as to remain undetected, as well as to impede the process of investigating cyber attacks. Such a significant lesson, which was presented by the attackers, demonstrates the fact that they are using increasingly sophisticated cyber attacks against various organizations. Cyber attacks are used to intrude intruders into the internal network of such organizations. As such threats develop, organizations, banks and other network owners should keep up with the times to ensure an adequate level of security for their network infrastructure.
Source: https://habr.com/ru/post/282387/
All Articles