MoneyTaker Has Targeted at Least 16 US Organizations

MoneyTaker, a cyber-criminal hacking group likely operating out of Russia or a Russian-speaking country, has reportedly stolen over 10 million dollars after targeting at least 20 financial institutions and legal firms. Researchers at the cybersecurity firm Group-IB believe MoneyTaker operations began in 2016, first infiltrating a Florida bank in May of that year, and have since targeted 14 additional US banks, a US service provider, a UK company, three Russian banks, and a Russian law firm. The group steals funds by infiltrating inter-banking money transfer and card processing systems, such as First Data STAR Network and Russia Central Bank’s AWS CBR system. MoneyTaker actors use legitimate apps and several types of malware to carry out malicious operations, including fileless malware, making investigations much more difficult. The group has targeted card processing systems and ATM networks, has used the ScanPOS malware against PoS systems, the Citadel and Kronos banking trojans for lateral movement, and custom screenshotting and keylogging tools. The threat actors delete their entry points, preventing researchers from determining the initial infection vector. MoneyTaker actors appear to initially steal internal documentation to learn about bank operations prior to initiating their cyber operations and have stolen documents on the inter-banking money transfer system, SWIFT, and the card processing system, OceanSystems’ Fedlink, deployed across Latin America, indicating financial institutions in Latin America may be the groups’ next target. The NJCCIC recommends users and administrators at financial institutions review the Group-IB report for additional information and scan their networks for malicious activity associated the MoneyTaker group using the IoCs provided.