MoneyTaker: Yet another Russian hacking group exposed

Banks, law firms and financial software vendors in the UK, US and Russia among groups targeted by MoneyTaker, according to Group-IB

MoneyTaker, a new group of hackers based in Russia has been exposed by security forensics outfit Group-IB.

In two years, according to a Group-IB report, the group has conducted more than 20 successful attacks on both financial institutions and law firms in the US, UK and Russia.

"Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported," claimed Group-IB in a blog posting.

It continued: "In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organisations, three attacks on Russian banks and one in the UK.

"By constantly changing their tools and tactics to bypass anti-virus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed."

According to Group-IB, the first attack conducted by the group was in spring 2016, when MoneyTaker gained access to payment technology company First Data's Star network portal.

In total, the group was behind 10 attacks during 2016, including six on banks in the US, two on banks in Russia and one on a bank in the UK, as well as the First Data attack.

In 2017, Group-IB claims that MoneyTaker was behind attacks on eight US banks, one law firm and one Russian bank.

Group-IB researchers claim to have discovered connections between all 20 incidents in 2016 and 2017. "Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes - using unique accounts for each transaction.

"Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and Mail.ru free email services," claimed Group-IB.

The group has also made use of Citadel and Kronos banking Trojans as part of their attacks, with Kronos deployed to deliver point-of-sale malware in one attack.

In addition to the blog, Group-IB has also produced a research report, and will be running a Computing-style web seminar on Monday 18 December.

"MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise," says Group-IB co-founder and head of intelligence Dmitry Volkov.

He continued: "In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice.

"Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations".