14 DAY TRIAL // The computing systems of up to eight different banks from Eastern Europe were successfully infiltrated and compromised during a cyber attack operation dubbed DarkVishnya by Kaspersky Lab's research team.
Between 2017 and 2018, Kaspersky's security specialists were hired by the compromised banks which lost tens of millions of dollars during the attacks to research the methods used by the crooks to penetrate their security defenses.
As the security researchers found out, the cybercriminals planted netbooks or inexpensive laptops, Raspberry Pi computers, or Bash Bunny devices within the banks' networks, which they later accessed via GPRS/3G/LTE mobile data connections.
The attackers used three-staged attacks to get inside the banks' security fortifications, to harvest all the data needed to steal their money, and to get out with the bounty undetected.
In the first stage, the DarkVishnya hackers dropped the devices while being careful to use locations where no one would suspect they were out of place and also making sure that the drops came with built-in GPRS/3G/LTE connectivity or by adding USB mobile data modems when needed.
Fileless malware was used during the operation to avoid detection
DarkVishnya's second stage consisted of remotely connecting to the planted devices and carefully scanning the bank's local network for exploitable resources such as open web servers and shared folders in an effort to pinpoint the machines used during the payment process.
Once they had their marks in sight, the crooks would try to compromise them using sniffed credentials or brute-force attacks, while also making use of tunnels or shellcodes with TCP servers to move around the network unencumbered by firewall restrictions.
During the third and final stage of their attacks, the cybergoons used fileless malware delivered using remote access software to steal the funds they were after while also keeping a low profile at all times.
Staying out of sight was achieved by evading detection by anti-malware software using whitelists and domain policies, using "impacket, and winexesvc.exe or PsExec.exe to run executable files remotely" when starting their malicious services was not possible locally.