The cybercriminal team “Anunak” has been hitting Russian banks with their Zeus malware. The hackers were able to steal 18 millions dollar from Russian banks and United States retailers. Forbes reported that the Anunak hacking team was able to infiltrate the Staples retailer.
The Staples company reported that 1.16 million Payment cards had been stolen by hackers which infiltrated the point of sales devices in 115 stores. The malware is claimed to be active since July 20th and September 16th.
Sheplers, a cowboy apparel seller whose PoS systems were infected between June and September, and Bebe, a women’s clothing retailer whose stores were attacked in November, were also victims of the Anunak gang, according to the source.
First time that Anunak had been spotted – read more in the full report
The first successful bank robbery was committed by this group in January 2013. In all first cases the attackers used the program RDPdoor for remote access to the bank network and the program “MBR Eraser” to remove traces and to crack Windows computers and servers. Both programs were used by the members of the Carberp criminal group under the guidance of a person named Germes. To reduce the risk of losing access to the internal bank network the attackers, in addition to malicious programs, were also used for remote access legitimate programs such as Ammy Admin and Team Viewer. Later the attackers completely abandoned from usage of RDPdoor and Team Viewer.
In addition to banking and payment systems, hackers got access to e-mail servers to control all internal communications. This approach allowed them to find out that the anomalous activity in the bank network was identified, what technique was used to identify this activity and what measures the bank employees took to solve the problem. Email control was successfully installed regardless of used email system, MS Exchange or Lotus. This approach allowed them to take countermeasures that created for bank and payment system employees the feeling that the problem had been solved.
The main steps of the attack progression are the following ones:
Primary infection of an ordinary employee computer.
Getting a password of a user with administrative rights on some computers. For example, a password of a technical support engineer.
Gaining legitimate access to one server.
Compromising the domain administrator password from the server.
Gaining access to the domain controller and compromising of all active domain accounts.
Gaining access to e-mail and workflow servers.
Gaining access to server and banking system administrator workstations.
Installing the software to monitor activity of interesting system operators. Usually photo and video recording was used.
Configuring remote access to servers of interest including firewall configuration changes.