Hackers Steal Information From Russian Bank Employees Via Malware
For The Purpose Of Stealing Information The Hackers Delivered Trojan To Making The Targeted To The Employees Of At least 6 Russian Banks Through Fake Emails. And The Attack Is Known As ‘Ratopak.’
The employees of some respective Russian Banks became a target from fake or you can say spoofed emails in December 2015. And all of you know that this is a very common technique for attacking any site to hack something. And the shocking part is that the emails were looked like same as they sent from the Central Bank Of Russia to offering the employment to their receivers. But in actual there were a Trojan ‘Ratopak’ deliver into the targeted user’s computer.
And you know what with the help of this Trojan Ratopak the hackers can gain the controlling power of targeted computer and they can easily steal the information. Do you know how it is possible??
No, okay! I’ll tell you the attacker can enter into the targeted system to perform various actions through a back door which can open by the threat. And then attacker performs many harmful actions like – logging, viewing & controlling the screen, keystrokes and retrieving clipboard data & so on.
Mostly hackers always try to target the legal or you can say authorized website or emails. For this, they can register a corresponding domain which may be similar from that authorized website just like Central Bank of Russia website.
Usually, the URL of Central Bank Of Russia website is “cbr.ru” and you know what the attackers website’s URL was “cbr.com.ru”. From this website the hackers sent an archive file included their victims email.
And when a user opens that archive file and also a fake file then downloaded the Ratopak Trojan, after that the attackers can sign into the targeted computer through stolen certificates that can easily avoid detection and also make a legitimate way to appear the malware in their system.
Black Vine & Hidden Lynx are two groups which used the stolen certificates. And they have used the emails for sending to the target users which is written by a native Russian speaker in a very simple and clean language. This shows that the attackers also needed a perfect speaker in a particular language for making the information useful and stolen by Ratopak.
There are only two minor errors in their email – First is the name in the “From:” line of the email header differs from the signature at the end of the email. And the second is that “.com” in the URL, which is the clear indication of that this is a fake email.
|Spoofed email offer (in Russian language) with a link to Trojan.Ratopak | Screenshot by Symantec|
At least six Russian Banks which were pointed for their attacks. And the amazing thing is that the attackers were only targeted the Russian and Ukrainian computers that’s why they affected the all those systems which are located in Russia. And all of them have very confidential and secret data just like – secured documents of government for tax purposes or so on.
For example, a common link of the victims was a piece of software created by SBIS, a Russian company that develops, among other things, accounting and payroll applications. In URLs used by SBIS, their accounting software is referred to as “buh”. Then attackers make their similar approach for the purpose of attacking which is labeled as Trojan.Ratopak as “Buhtrap”.
That’s why the targeted system may connect to the following domains; note the use of “buh” in several of them:
The goal of the attackers was always financial motivation. As I told you that they were always only target the Russian and Ukrainian computers because they make it for checks the language of the compromised computer. If it isn’t Russian or Ukrainian, then the malware stops its attack. Ratopak may also terminate and delete itself if it recognizes that it is being run on a virtual machine or a researcher’s computer.
Image source: Getty
Image source: Getty