Smart banking Trojan allows you to withdraw almost unlimited amount of money from ATMs

Kaspersky Lab has detected and analyzed interesting malicious software that is aimed at banks and banking networks. This is a whole software complex consisting of about 30 different modules capable of being unnoticed in the banking network for a long time. The system is called Metel (there is another name - Corkow). The software itself is not new, but now Kaspersky Lab has made a number of presentations on this topic. One of the most interesting objects to explore is Metel.

One of its modules is committed to programmatically “rolling back” the last executed ATM transactions. Thus, attackers with a compromised bank card can withdraw almost unlimited amounts of money from ATMs owned by other banks. The amount of withdrawal depends only on the amount of cash in the system. And since the module constantly returns the card balance to its original value, the attackers do not exceed the limit, and the system does not block the card.

Last year, a similar scheme helped attackers to withdraw millions of rubles in Russia overnight. The way Metel penetrates the network of banks is simple and normal - bank employees are in some way encouraged to open a website that distributes the malware download module. When you open an infected file, the Trojan penetrates the system of the bank. Further, the representatives of the group that developed Metel are investigating the network and compromising other PCs in the victim bank’s network. Often used and social engineering, the company told about it in his blog .
')

Image: Kaspersky Lab

Using the same malware, hackers managed to significantly increase the volatility of the ruble exchange rate in February 2015, as already reported on Geektimes .

The complexity of the software used by attackers is constantly increasing. Burglars use a variety of techniques, techniques and software varieties to achieve the goal.

"Kaspersky Lab" told about other examples of attacks aimed at financial institutions:

• The GCMAN group, which got its nickname because it uses the GCC compiler to create its software. As in the case of the "Blizzard", members of the group begin an attack on the bank with specially prepared letters to infect banking networks. After that, the usual tools like Putty, VNC, Meterpreter are used to expand access. In one of the known cases, members of the group had access to the bank’s network for about 18 months, and only after that did the group withdraw some funds. After the scripts started working, the transfer of funds in the amount of about $ 200 per minute began (a special slowdown was used so that the bank systems would not react to a too fast withdrawal of funds). The funds were transferred to the account of the fake person, who was supposed to withdraw money.
• The Carbanak 2.0 system, a malware used to gain access to intruders to a financial institution. After that, the system has been added information about the owners of the company. The added persons were dummy - as in the previous case, these people were withdrawing funds from the accounts. There were no problems with the withdrawal of money from the “owners” of the financial organization.

Now all these groups and systems are active and continue to work. As previously reported, only with the help of Corkow, networks of 250 financial organizations and business companies are infected in Russia. How many victims in fact, no one knows.