GCMAN group attacked three Russian banks in the past year

Feb 8, 2016 16:55 GMT  ·  By
GCMAN group uses cron script to transfer $200 per minute from banks to e-currency services
2 photos
   GCMAN group uses cron script to transfer $200 per minute from banks to e-currency services

At the Security Analyst Summit (SAS 2016) held in Tenerife, Spain, Kaspersky researchers shed some light on a new cyber-crime group, called GCMAN, targeting Russian banks.

Nicknamed after the GCC (GNU Compiler Collection), the compiler used to assemble their custom-made malware, the group's main mode of operation is to infect banks and then secretly transfer small amounts of money to e-currency services.

As with most cyber-incidents today, the main point of infection is via spear-phishing emails sent to key individuals inside a bank's organigram.

If these persons fall victim and open the malicious RAR file sent to them in the email, their computer will be infected with the group's malware.

The malware sends $200 per minute to an e-currency service

This malware is specifically designed for lateral movement inside the bank's IT infrastructure. It will actively search for computers tasked with dealing with financial operations, and it will use penetration testing tools like Meterpreter, Putty, and VNC to gain access to these systems.

Once a foothold has been established on one of these key machines, the malware deploys a simple cron script that will send $200 every minute to various e-currency accounts, which are under the group's control.

"A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system," Kaspersky researchers explained. "This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank."

GCMAN's cron script was discovered by accident

The security vendor says that only pure luck allowed a bank employee to come across GCMAN's malware and stop its cron script before it could do any real damage.

Investigating this first reported incident, Kaspersky researchers discovered that the bank's computer network tasked with dealing with financial operations was actually breached 18 months before. After infecting one computer, they scouted the network for potential targets and used an MSSQL SQL injection in one of the bank's software packages used to run its public Web portal.

Hackers used this initial hole to attack 70 other computers on the bank's network, compromising 56, until they got access to what they were looking for. Eighteen months later, they came back to place the cron script on the server and steal the money, but luck was not on their side.

Besides this initial case, Kaspersky says they also discovered GCMAN's custom malware on the servers of two other Russian banks.

GCMAN's mode of operation
GCMAN's mode of operation

Photo Gallery (2 Images)

GCMAN group uses cron script to transfer $200 per minute from banks to e-currency services
GCMAN's mode of operation
Open gallery