Bank Reconnaissance, A Hacker's Guide

For much of the time, cybersecurity researchers can find themselves limited to informed speculation and assessment about the sort of activity that cybercriminals perform, prior to launching a large cyber-theft operation. We believe that they will be performing reconnaissance on employees at the bank, particularly those in privileged positions linked to the payment and IT platforms, but some of the more precise details are limited. However, every now and again, information will be leaked which can provide some unique insight into the activities of cybercriminal groups and what they look for in a victim.In July 2018, a user on a hacking forum leaked a set of documents and source code linked to the theft of money from financial services entities in Russia. The user initially indicated that these were linked to the Carbanak group (and may even have contained a sample of the Carbanak malware); however, subsequent analysis has indicated that the package is linked to a variant of the Buhtrap malware, dubbed Ratopak.While there has been considerable discussion about the source code and operation of the malware, perhaps more interesting are the clues that can be found in other files, offering a snapshot of historic intelligence gathering and knowledge sharing that was happening between the malware operators. This provides a unique insight into the scope of their operations, as well as the information considered valuable for perpetrating thefts.Files within the leak were organised into four folders:

• bck_check, containing a file designed for parsing logs;
• gen_payments_script, containing a PHP script for generating payment metadata (so that payments initiated through unauthorised access resemble legitimate transactions);
• Pegasus, containing the trojan source code and binaries; and
• cvs_banks, containing a trove of intelligence which can be used to support operations against banks.

The folder of interest to us is cvs_banks which contains 20 files in assorted formats (csv, doc, xls, txt) and an info.txt file in the main directory. The documents are fairly disorganised but reflect a strong focus on the targeting of Russian banking employees and evading automated anti-fraud measures. Details of some of the documents are outlined below:

• txt: Contains instructions for malware operators on how the AWS CBR (Russian Central Bank's Automated Workstation Client) functions, along with tips for establishing whether associated software is running on a compromised machine. Compromising these could be used to initiate inter-bank transfers of large sums of money.
• txt: A subset of information of employees at different banks, consisting of names and email addresses.
• txt: Details of particular transaction types which immediately trigger automated anti-fraud blocking mechanisms.
• АНТИФРАУД.txt: Details of individual processes which could suggest that a transaction is suspicious.
• Антидропы (485) 24 08 2015.xls and Антидропы (500) 30 06 2015.xls: Spreadsheets containing personal details for security personnel at variety of different banks. Document properties seem to indicate that document may have come from a bank itself, although this cannot be confirmed. Use of the word “дропами” (drop) to describe a set of columns is somewhat strange as it is a word commonly used to describe the role of a ‘money-mule’; in this context it is likely to refer to people responsible for approving payments which have been flagged as suspicious.
• СБ Липецк на 17.11.2015.doc: Contains details of individuals associated with IT departments at banks in the Lipetsk region of Russia.
• Список СБ банков г. Воронежа на 13.02.2013 (со списком рассылки).doc: Contains notes and details ostensibly relating to employees linked to security/IT functions at banks based in the Voronezh region in Russia. The original source of this document is unclear, but it does include indications that some of the included email addresses had been contacted by the criminals.
• txt: a list of email addresses linked to free email services. It is possible that this may be a list of email addresses from which the criminals could send spear-phishing email attempts.
• 12 csv files consisting of domain controller dumps from various Russian banks and other financial institutions (e.g. the Russian Deposits Insurance Agency), containing names and email addresses for thousands of employees.

Together, the files confirm the belief that attackers are willing to put many hours into the gathering and collation of personal information for thousands of banking employees, and into identifying people who are directly responsible for the systems they’re looking to manipulate. The information also appears to be kept by hackers for considerable lengths of time – filenames and properties indicate that data was collected from 2013-2015 – but such information is likely to retain its value for quite some time.We know that hackers are going to be reviewing our organisations’ open-source profiles, seeking to identify the most valuable targets and tailor their attacks to their profiles. This can be seen in a report by Symantec which appears to be describing an attack perpetrated by group behind the Ratopak malware in this dump. Educating employees about the dangers of phishing, and of revealing inappropriate amounts of information on corporate networking sites, is something which will have to continue into the foreseeable future. Reviews of a company’s online threat landscape are also useful exercises for identifying the scope of information which has been made available about them in open sources. When rigorously assessed, this information can be framed in the context of how an attacker could use it to target an organisation, prioritised, and remediated.

Find out more about our cyber intelligence services

• Platform
• Consulting
• Research