Openhunting Threat Library

MoneyTaker

MoneyTaker
(Type: -)

(Group-IB) In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group. Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
2
2017


Trend Per Month
2
Dec 2017



[News Analysis] News Mention Another Threat Name:

0 - MoneyTaker


[TTP Analysis] Technique Performance:



[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

MoneyTaker Hacker Group Steals Millions from US and Russian Banks

2017-12-12 by Catalin Cimpanu from Bleeping Computer

MoneyTaker: in pursuit of the invisible

2017-12-11 by Dmitry Volkov from Group-IB

Basic Information (Credit @etda.or.th)

Actor: MoneyTaker

Names: MoneyTaker

Country: Russia

Motivation: Financial crime

First-seen: 2016

Description: (Group-IB) In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group. Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In total, Group-IB has confirmed 20 companies as MoneyTaker victims, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.

Observed-sectors: Financial

Observed-countries: Russia

Observed-countries: UK

Observed-countries: USA

Tools: Citadel

Tools: Kronos

Tools: Metasploit

Tools: MoneyTaker

Tools: Screenshotter

Information: https://www.group-ib.com/blog/moneytaker

Last-card-change: 2020-04-14

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact