A hacker gang dubbed Anunak pulled off a high-profile attack against Energobank based in Kazan, the capital of the Republic of Tatarstan, Russia. This breach took place in February 2015, but its details surfaced lately in the respective report by Group-IB, a computer forensics firm hired to look into the incident. The fraudsters managed to deploy the Metel Trojan (the name is a transliterated Russian word for “Blizzard”) in the bank’s IT infrastructure. Also known as Corkow, this malware provided the hackers with unauthorized access to trading system terminals.
Over the course of only 14 minutes, the offenders succeeded to conduct currency exchange transactions on behalf of the bank, which resulted in US Dollar/Ruble exchange rate to fluctuate from the regular 60/62 (buy/sell) down to 55/62. Consequently, the criminals were able to carry out multimillion-dollar deals, where interested parties could get quick profit by purchasing dollars cheaper and selling them at the average market rate. A total of 7 currency exchange requests were made within this brief time span, amounting to more than $500 million. The malware was then remotely deleted from the trading system.
According to financial experts’ estimates, this artificially created temporary margin made the bank suffer losses in the millions. Meanwhile, the central bank admitted the exchange rate volatility but denied the fact of illegal manipulations, stating that the predicament could have resulted from traders’ mistakes.
Dmitry Volkov, the cyber crimes investigation division leader at Group-IB, claims the Corkow Trojan is capable of traversing the contaminated Intranet thoroughly enough to even locate remote machines that may handle sensitive financial transactions. Furthermore, the malware in question was found to adopt sophisticated antivirus evasion techniques. It can, therefore, fly under the radar of the mediocre defenses that most of the targeted organizations employ. This feature has enabled the Anunak criminal gang to create a botnet of over 250,000 workstations across the globe, including internal networks of more than 100 financial organizations.
According to the report mentioned above, Energobank was breached via a spear phishing attack. Some of the employees were imprudent enough to open an email masqueraded as a message from a Russian banking authority. These emails contained malicious code tasked with exploiting security loopholes in Microsoft Office software. As a result, Corkow was instantly executed on the machines and quickly propagated across the bank’s network.
This isn’t the only known incident involving the Metel (Corkow) malware. Its circulation was first spotted in 2011, and it had remained mostly dormant until the Energobank story. Group-IB researchers believe this was a “pilot” campaign to check how far the bad guys could go with their Trojan. Members of the Anunak ring have since unleashed Corkow to conduct another defiant heist.
In August 2015, the malware attacked the credit card system used by about 250 Russian banks. This compromise made it possible for the hackers to steal hundreds of millions of rubles during just one night. The perpetrators withdrew money from ATMs and rolled back these transactions so that repeated cash-outs could be done in other banks’ ATMs.
At this point, no instances of bank fraud using Corkow Trojan have been detected outside Russia. That being said, security professionals claim it may pose a risk to financial organizations elsewhere around the globe.