The analysts of Kaspersky Lab told about the attacks on the banks, which received the name Darkvishnya.
Researchers write that in 2017-2018 years they were invited to study several cyberrobberies, united by “common denominator”. Each time the starting point of these attacks was an unknown device directly connected to the company’s local network. In some cases it was the central office, in others it was a regional office, sometimes even located in another country.
At least eight banks in Eastern Europe have become targets of Darkvishnya attacks, and a few tens of millions of dollars have been targeted by malicious attackers.
Each such attack can be conditionally divided into several identical stages. In the first stage, the attacker, under a plausible pretext (courier, job seeker and so on) penetrated into the building of the organization and connected the device to the local network, for example, in one of the meeting rooms. If possible, the device was hidden or masked under the environment, so as not to arouse suspicion among employees.
The devices used in Darkvishnya could vary depending on the tastes and capabilities of the attackers. In the cases studied by experts it was one of three tools: Netbook or inexpensive laptop;
Raspberry Pi single-paid computer;
A special tool for USB attacks Bash Bunny.
Inside a local area network, such a device might look like an unknown computer, a flash drive, or even a keyboard. In combination with real size (so, Bash Bunny comparable to the size of a conventional USB stick), it seriously complicated the search “entry point.” For remote access to “Podkidyu” was used GPRS/3g/LTE-modem, built into the device or connected to it via USB-port.
In the second phase, attackers remotely connected to their device and scanned the organization’s local network in an attempt to access shared folders, Web servers, and any other open resources. The goal was to gather information about the network, in particular, the search for servers and workstations involved in the payment.
At the same time, the attackers tried to pick up the brute or intercept data that can be used for authorization on one of the appropriate machines. To work around the restrictions imposed by the firewall, they placed shell codes with local TCP servers. If the firewall blocked access from one network segment to another, but allowed the reverse connection, the attackers used a different payload to pave the tunnel.
When these searches brought fruit, the attackers moved to the third stage. They logged on to the attacked system and used remote access software to keep access to it. Next, malicious services created using Msfvenom were launched on the captured computer. To bypass the white lists and domain policies, criminals used non-file techniques and PowerShell.
If the “white lists” could not be bypassed, and the use of PowerShell on the attacked computer was disabled, the attackers used impacket, as well as winexesvc. exe and psexec. EXE to run the executable files remotely. The funds were then withdrawn, for example, through ATMs.