Metel Infiltrates Banks with Malware and Robs ATMs via Transaction Rollbacks

Posted on

The group has not been caught yet, still active in Russia.

A group of crafty cyber-criminals are using malware to infect the IT networks of top-grade banks and are stealing funds using ATM rollback operations.

At the Security Analyst Summit (SAS 2016) held in Tenerife, Spain, security researchers from Kaspersky have uncloaked a new cyber-crime ring that’s using a pretty clever and never-before-seen tactic to rob banks.

The group, nicknamed Metel based on the malware family they use (also known asCorkow), relies on well-targeted spear-phishing campaigns to infect the computer network of a desired bank.

Hackers take control of a bank’s IT network responsible for financial transactions

Once on the bank’s IT system, the malware, which was specifically built for this purpose, will spread to nearby workstations until it manages to infect computers tasked with managing the bank’s financial transactions.

Here, using its keylogging and backdoor capabilities, it allows the Metel group to access core financial operations.

Once this level of access is achieved, Metel can move to the second stage of the attack. The group now sends its members to the ATMs of other banks and asks them to remove money from a valid bank account belonging to the infected bank.

Because inter-bank operations take a while to validate, the Metel group uses their access to the infected bank’s financial IT system to cancel these withdrawal operations, but not before the money is pulled out of the ATM.

The group is still active in Russia

This is called a transaction rollback and reverses the bank account’s balance to the previous value, even if money has been withdrawn from an ATM and is now in the group’s possession.

Using this clever technique, Metel can send multiple carriers to different ATMs in one night, all with the same bank account, and steal huge amounts of money before their intrusion is detected. All the hackers need to do is cancel any withdrawal operation associated with their cash-cow bank account.

Kaspersky reports that, in the summer of 2015, the Metel group managed to steal millions of rubles in one single night. Only victims in Russia seem to be targeted, and the security vendor reports that the group is still active. Until now, Kaspersky says it has cleaned Metel’s malware from the computers of over 30 financial institutions in Russia.

Metel group robs ATMs via transaction rollbacks
Metel group robs ATMs via transaction rollbacks

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s