On the trail of Cobalt: tactics of logical attack on ATMs in the investigation of Group-IB

In July 2016, the work of First Bank, one of the largest banks in Taiwan, was paralyzed. The bank faced a massive attack: people in masks simultaneously laid waste three dozen ATMs for $ 2 million. The police were wondering: there were no signs of hacking or overhead skimmer devices on the ATMs. The attackers did not even use bank cards.

As everything happened, video cameras were fixed: people in masks approached ATMs, called by mobile phone - the ATM issued money, the criminals put them in backpacks and ran away. After such a large-scale raid, the eight largest banks in the country suspended cash withdrawals at 900 ATMs.
')
What First Bank ran into is called a logical attack. Its essence is that cybercriminals gain access to the local network of the bank and from it establish full control over ATMs. Remotely, they get a team to issue money. Hackers' accomplices - “mules” - take money and transfer it to the organizers of the attack. Thus, Cobalt is the most active and dangerous criminal group - in less than a year, banks attacked in two dozen countries of the world.

The summer wave of attacks on ATMs was just testing new features. In the future, according to our forecasts, logical attacks will become one of the directions of the main attack on banks.

Contactless attacks on ATMs - just one of the types of targeted attacks on banks. In addition to ATM management systems, cybercriminals try to gain access to interbank transfer systems (SWIFT), payment gateways and card processing.

Let's take a closer look at the tactics of logical attacks on ATMs and methods of counteraction. This article is based on the Group-IB report on the activities of the Cobalt Group, released in the fall of 2016. Some of this information is published for the first time in the public domain.

Penetration

Cobalt penetrates the banking network by sending phishing emails with an exploit or executable file in the archive with a password. For CIS banks, criminals sent attachments "Storage Agreement2016.zip" and "list of documents .doc". For foreigners - “The rules for European banks.doc” and “Bitcoin ATM's.doc”.

It takes from 10 minutes to 1 week to get full access to the domain controller.

Phishing emails were most often sent on behalf of the European Central Bank, the manufacturer of Wincor Nixdorf ATMs or regional banks. Recognizing the substitution was not easy: their official domains were indicated in the sender's address. To send fake emails in June, the anonymous mailing system was used: “Send Mail v.2.0.” (Another service name: “alexusMailer v2.0”), and later the attackers began to use the capabilities of Cobalt Strike. In general, Cobalt Strike is a rich framework for penetration tests that allows you to deliver and manage the payload to the attacked computer.

This is what the letter on behalf of the European Central Bank looked like:



Letters were sent from two servers with IP addresses 88.212.208.115 and 5.101.124.34. Both are in Russia. We received a portion of the emails sent from these servers, examined the malicious attachments, found the associated malware instances and checked where from the moment of the attack suspicious files were downloaded to Virus Total, an online scanner that checks for viruses and malware.

Here is an example of the results of downloading it to Virus Total:



So we were able to establish a more comprehensive list of attacks targets, which included banks from Russia, Great Britain, the Netherlands, Spain, Romania, Poland, Estonia, Bulgaria, Belarus, Moldova, Georgia, Armenia, Kyrgyzstan and Malaysia. In the case of First Bank, hackers penetrated the network of a bank branch in the UK and through it gained access to the central office network.

In addition to banks, letters were received by leasing and insurance companies that are part of a group of bank companies. In some cases, such companies have common networks, which the attackers used.

Pinning system

After the malicious attachment was launched, the process of attaching to the system began:

1. The attachment contained malicious RTF documents that exploit the CVE-2015-1641 vulnerability. The standard shellcode generated by penetration testing tools such as Metasploit and Cobalt Strike was used.

2. A payload was loaded into RAM called Beacon, which is part of Cobalt Strike.

Cobalt Strike interacts with the server side by creating hidden channels using the DNS, HTTP, HTTPS protocols to prevent detection of network interactions using standard IDS / IPS systems.

Beacon command list:



3. If the method with the exploit did not work, the attackers repeatedly sent a letter with a password-protected archive containing the same Beacon.

In any case, after the launch of the malicious attachment, the Beacon was loaded only into RAM. This means that after restarting the operating system, the attackers lost control of this computer.

To ensure constant performance on the system, a special Beacon module automatically worked, which checked which applications were registered to autoload, and replaced some of them with its executable file with the same name.

In real attacks, we observed the replacement of files with the names of iusb3mon. exe (Intel® USB 3.0 eXtensible Host Controller) and jusched.exe (Sun Java Update Scheduler). As a result of this replacement, services that were supposed to automatically launch legitimate programs launched malicious applications.

4. In the same directory where the replaced legal executable files were located, the library with the name crss was copied. dll. Each time the operating system starts, the replaced applications load this library into memory. Its main task was to download the Beacon module into the RAM from the Internet.

This ensured the viability of the main program. After each reboot of the operating system, the main module was deleted. All the steps described above were performed automatically after running the malicious attachment. In case the infected computer was turned off or the operating system was reinstalled, it was necessary to establish permanent access to the local network. For this it was necessary to increase the privileges.

Obtaining privileges

To investigate the local network of the bank, to gain access to isolated network segments and information systems, an attacker needs domain administrator rights.

Starting with Windows Server 2008, Group Policy has added additional functionality - Group Policy Preferences (GPP). GPP allows administrators to apply multiple policies: automatically assigning a network drive when a user logs on to their computer, updating the built-in administrator account name, creating new users, making changes to the registry, etc.

Actions such as adding a local user, mounting a network drive or a printer may require you to enter a password. When these policies are loaded for use on a separate computer, they will do this with the specified password. A password encrypted using the AES-256 algorithm and additionally encoded with Base64 is stored in the GPP Groups.xml configuration file.

This XML file is not always created, and when, for example, a built-in administrator account is created or changed. The file is stored on a domain controller in a subdirectory of the SYSVOL directory and, like the directory itself, is available to any user in the domain.

Attackers use Groups.xml to extract the domain administrator password as follows:

1. After gaining access to the local network, they find domain controllers that are specified in the computer settings.
2. On domain controllers, they check the presence of the SYSVOL directory and the Groups.xml file, which is accessible in the following path: "\\ [server_name] \ sysvol \ [domain_name] \ Policies \ [group_policy_ name] \ Machine \ Preferences \ Groups \ Groups. xml "
3. From the Groups.xml file, they extract the domain administrator login and password from the cpassword and userName fields.

Fragment of the Groups.xml file:



4. To get the password in open form, the attackers decode the base64 password, getting the string 2412D5A8073B0B9EEF429FB6AF94B737C95E66B685409A1FD9C36509DF7D6166
Is a password encrypted with AES-256.
5. The received encrypted password is decrypted using the key 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b, published on the official Microsoft MSDN website.



6. After successfully decrypting the password, they gain access to the domain controller and, using the method described below, can access the password of any account.

With this configuration of the domain controller, attackers accessed it in 10 minutes.

Another way to retrieve usernames and passwords from the memory of an infected computer was associated with the use of the free tool Mimikatz. The source code for this utility is published on Githud, is available to everyone and is built into some tools for penetration tests, including Cobalt Strike.

Pinning to an infected computer / server

So, attackers have at least one host with Beacon. They need to have access to a variety of computers, including those that do not have access to the Internet. To do this, they built their mini-network of infected computers on the local network of the bank, which could be managed through a single Cobalt Strike console installed on a remote server and providing the opportunity for teamwork.

The whole process can be described as follows:

• On hosts with Internet access, a version of Beacon was launched, which established a connection to a remote management server via a hidden channel. To prevent detection of such network interaction using standard IDS / IPS systems, the DNS, HTTP, and HTTPS protocols were used. There were few such hosts, and they provided the ability to interact with other hosts on the local network. Let's call them master-node .
  
  
• The greatest interest in the bank are isolated hosts that do not have access to the Internet. But even if access is allowed, creating a connection to a remote server on critical systems is suspicious of the vigilant security service. To control such hosts and not cause suspicion of anomaly detection systems, the attackers used a special version of Beacon, which can only be controlled from the local network via the SMB protocol using pipe. Let's call them slave-node .
  
  
• Cobalt Strike allows you to connect the master-node and slave-node through a special channel via SMB protocol. Thus, the slave-nodes become available in the Cobalt Strike remote central management console. Those. Isolated hosts gain access to the Internet through master-nod, which becomes the gateway for the slave-node.

This scheme allowed criminals to build a fairly reliable mechanism for continuous access to the local network of the attacked bank, while remaining as inconspicuous as possible.



To expel the attackers from the network, it is necessary to at least identify all the hosts that play the role of master-node, and remove them from the network at a time, otherwise the criminals have a chance to recover in a few minutes.

Providing backup access channel

After a successful compromise of the local network and domain, the attackers could use legitimate remote access channels, for example, connect through terminal servers or via VPN with administrator or regular user rights.

Despite the fact that Cobalt Strike has a built-in remote access module via VNC, the attackers were reinsured and downloaded the modified TeamViewer installer - a legitimate remote access tool. The installer was not fully recovered, so we assume that the main difference from the official application is to hide the alert that a remote connection was made to the computer, as it was in the attacks of other criminal groups in Russia. Preparation is completed - the last stage was ahead - the withdrawal of money.

Getting access to ATMs

After gaining control over the bank’s internal network and providing backup access channels, the criminals proceeded to search for network segments from which ATMs can be accessed and employees ’workplaces who should monitor ATMs.

Having access to a computer or server from which access to ATMs is allowed, the attackers used standard remote access tools used in the bank. This is usually the Microsoft Remote Desktop Protocol.

Having access to ATMs, they downloaded special software on them, which allowed them to manage cash withdrawals.

The program used to issue money from ATMs is unique and is used only by this group.

ATM attack software


After receiving remote access to ATMs, three files are uploaded to it:

• del.bat script, which ran the program SDelete with the necessary parameters.

The contents of the del.bat script

sdelete.exe -accepteula -p 32 d2.exe
sdelete.exe -accepteula -p 32 xtl.exe
sdelete.exe -accepteula -p 32 * .txt
sdelete.exe -accepteula -p 32 d2s.exe
del sdelete.exe
del del.bat

• legitimate program SDelete (published on the Microsoft website). Its purpose is to delete files in a special way so that they cannot be restored during forensic investigation.
  
  
• malware that uses standard XFS interface functions via XFS Manager (eXtensions for Financial Services). It is this program that starts issuing money on a team from the internal network of the bank.

The source code of the program was not protected, which greatly simplifies its analysis and makes it possible to make adjustments to the logic of its work. This means that the author of the malicious program did not plan to distribute it, but most likely belongs to the group of attackers.

The malicious program allows using the XFS API to interact with the dispenser at an ATM and give commands to empty tapes with cash. It functions in accordance with the arguments that must be passed at startup. There are 5 such arguments in total, and the value of each of them must be specified.

Command line arguments must be in the following order:


ServiceLogicalName is the service name used as an argument to the WFSOpen function (for example, “Cash Dispenser Module”).

Cassettes Count - the total number of cassettes present on the device. The value must be between 1 and 15.

Cassette Number - the number of the cassette from which the cash should be dispensed. The value must be between 1 and 15.

Banknotes Count - the number of banknotes that must be issued from the cassette. The value must be between 1 and 60.

Dispenses Count - how many times it is necessary to repeat the issue of cash. The value must be between 1 and 60.



All these values ​​are specified in the console by an operator who is connected to the ATM remotely.

If all arguments were passed correctly, a message is displayed that displays the parameters according to which further actions will be taken.



Next, the array is filled, each element of which corresponds to the cassette number in the device. The number of array elements must match the total number of cassettes. The value that stores each element of the array means the number of banknotes that must be issued from the corresponding cassette. The numbering of the elements of the array begins with 1.

During operation, the program receives data about the system time, and, if it does not correspond to the one specified in the program code, it completes its work.



Next, the program produces a series of standard actions that need to be done before the cash withdrawal operation, and if all of them ended successfully, the ATM issues bills to the mule. This operation will be repeated as many times as indicated in the “Dispenses Count” argument.

Upon successful completion of each such operation in a file called “disp. txt, located in the same directory as the malware, writes the text string "Cassettes Count: Banknotes Count", where "Cas-settes Count" and "Banknotes Count" are the values ​​of the corresponding arguments.

It was discovered two versions of such a program. One had the name d2.exe, and the second d2sleep. exe. The difference between them was only that the second gave out cash with a small pause - 1 second.

After bills ended at the ATM, the operator launched the SDelete program, which deleted the used files using a special algorithm that does not allow information to be restored. After that, the ATM rebooted.

In addition, the operators disabled the internal servers of the bank from which the attacks on ATMs were carried out using the MBRkiller malicious program, which deleted the master boot record (MBR) records. All this greatly complicates the forensic investigation of the attack.

ATM attack

On a conditional day, special people were sent to the ATMs - mules. They had to keep in touch with accomplices on the phone, who gave the command to issue money from an ATM. On the phones of the detained mules, messages with six-digit codes were found. Typically, such codes are sent by the organizer to activate the work of a malicious program on a specific ATM.

After the money at the ATM ran out, the person re-contacted partners and left. Depleted ATM reboot.

Often, the mules enter the country on tourist visas specifically for the attack and leave it as soon as the operation is over. A few days after the attacks on First Bank ATMs in Taipaea, citizens of Latvia and Romania were detained. The remaining 13 suspects, including Russian citizens, managed to leave the island.

Increased attention was paid to the security of the criminal scheme itself. So that the operators could not use the program to attack other ATMs without involving the organizer, a verification of the launch time is built into its code. If the system time of the attacked ATM does not match the month specified in the code, the commands will not be executed. At the same time, the program will not produce errors, and, most likely, the operators are not aware of such a built-in check.

After each successful execution of the cash withdrawal operation, the program records a special log (file called “disp.txt”) with information on the number of banknotes issued from each cassette. The operator sends this log file to the organizer who uses the information to control the cash withdrawal chain.

How does the group Cobalt



Buhtrap connection

Investigating Cobalt's logical attacks on Russian and European banks, we noticed that the mechanisms for delivering phishing emails and gaining access to the domain controller are identical to the methods used by the Buhtrap group. From August 2015 to January 2016, she stole more than 1.8 billion rubles from the accounts of Russian banks.

After in May 2016, people who had been involved in the cashed of stolen money for the Buhtrap group were detained, the embezzlement from the accounts of banks using the Trojan of the same name ceased, but the botnet continued to exist.

It can be assumed that at least some of the members of the Buhtrap group entered Cobalt or, which is not less likely, the backbone of Buhtrap simply switched to attacks on ATMs.


How to repel logical attacks

Logical attacks are gaining increasing popularity. The number of incidents will only grow. To commit an attack does not require expensive development of complex software - most tools are in the public domain.

• To prevent infection through a phishing email with an embedded exploit, it is recommended not to open suspicious emails and update Microsoft software in a timely manner. Cobalt has not yet exploited zero-day vulnerabilities. Their exploits are old. Therefore, even the usual software update did not allow attackers to get into the corporate network. Unfortunately, this requirement was not observed in some attacked banks.
  
  
• In cases where the attackers were confronted with updated software, they sent attachments with executable files in the archive with a password. Such attacks can be repulsed by sending such letters to quarantine for dynamic analysis in an isolated environment (“sandbox”).
  
  
• Deploying an attack after gaining access to a bank’s network can take days, and sometimes months. Use this time to identify the actions of the attackers. Check the settings of the domain controller and the presence of the Groups.xml file in the SYSVOL directory with the encrypted password on the standard AES-256 key, as described in the section on obtaining privileges.
  
  
• Install integrity monitoring software on ATMs.

These recommendations will help prevent theft, but only work ahead of time with the help of Threat intelligence (Cyber ​​Intelligence) data and the use of specialized solutions to detect targeted attacks can minimize risks.

Subscribers to our Threat Intelligence service learned about Cobalt tactics and attack mechanics back in the summer of 2016. Our consultations helped several banks stop an attack in time, completely clear the network and close the attackers access to ATMs.