The claim has always been denied by the Russian Central Bank who also refute the claim in the report that “losses to financial institutions were estimated in the millions”. With many Western banks still reeling from the Libor scandal where fines and court cases are still ongoing, this report shows that exchange rate manipulation is not just an insider risk.
Corkow malware targeted specific trading systems
The malware at the heart of the attack Corkow, otherwise known as Metel, is a Trojan. Once installed on bank computers it targeted modules from various trading systems such as QUIK from ARQA Technologies and TRANSAQ from ZAO. Bot-Trek Intelligence also reports that Corkow gave cybercriminals remote access to the ITS-Broker system terminal enabling the fraud to take place.
The attack has been described as a test run to demonstrate the malware capabilities. This is further evidenced in the detailed explanation of what happened. While only six trades were placed and not all concluded, the report claims that in order to really commercialise the attack there would have had to be collusion with some of the major brokerage clients. This is so that there was enough money on hand to make a profit from the difference in currency movements.
The report provides a timeline for the attack starting as far back as six months before the systems were breached. It shows how a vulnerability was exploited and that much of the dormant time was spent using a keylogger to gather information from traders.
Of more interest is that in a bizarre twist, the report claims that the attack on trading systems netted the hackers almost nothing. Instead the report authors claim that it was currency traders who took advantage of the instability that the malware created in order to make a lot of money. There is no suggestion that the malware was being demonstrated to the traders but one wonders if the Russian banking regulator will take a closer look based on who made money.
Cybercriminals at fault, not a nation state attack
Most large scale attacks today are blamed on nation state attacks or, at the very least, co-sponsored by nation states. While the report makes it clear that Corkow has targeted banks in Russia and the CIS there is no suggestion that it is anything other than an attack by Russian-speaking hackers. In fact the report explicitly states that no secret services involvement has been detected.
Corkow has also been detected in the USA with Bot-Trek Intelligence saying that they have seen the number of attacks against the USA increased 5 times since 2011. This further strengthens the claim that this is a purely criminal enterprise rather than being state sponsored.
Not easy to defeat
There are a couple of issues that will concern security teams. The first is that Corkow is capable of evading current antivirus solutions. The report states that the majority of infected systems have active antivirus software installed and up to date. This means that security teams will need to look for other indicators in their threat intelligence software in order to detect Corkow.
The second point of concern is that once Corkow is on a machine it may sit there for up to 6 months before being activated. To be on a machine and undetected for such a length of time despite being a known Trojan is a major issue.
It is believed that machines were infected through a drive-by attack. This happens when computers visit an infected website that then installs the malware on the machines. This is a very common attack vector and one that is ideally suited to exploiting browser and browser plug-in vulnerabilities. In this case the Nitris Exploit Kit, previously known as CottonCastle, was used to craft the drive-by attack.
The effectiveness of the infection route is so high that Group-IB claims that where its Bot-Trek IDS sensors are installed they have detected Corkow on 80% of protected corporate systems. This is among the highest level of infection rates on any protected system for any malware.
But all is not lost for security admins. Group-IB has provided a list of websites where it has found the Nitris Exploit Kit ready to deliver Corkow. The vast majority of them are in Russia with just a small number of .org and .net addresses. What is a surprise is that it also shows infection rates by country since 2011. While Russia is the most affected the USA, Brazil, China, Poland, Spain, Germany and Italy are among the countries where the malware is active.
Conclusion
This report will interest security teams in many financial institutions who will want to look at what they can do to not only detect Corkow but block it from getting onto computers. While the first approach will be to block the list of sites there is a need to also look at the lists of software that are infected on end user computers.
Rigging interest rates is something that regulators are very alert to. The fact that malware can be released that is able to breach trading systems and create volatility in the market will cause a real headache for compliance teams. The most obvious challenge will be proving that traders were not complicit in the attack. However, proving that clients were also unaware and just “got lucky” will be a little harder.
[…] The malware at the heart of the attack Corkow, otherwise known as Metel, is a Trojan. Once installed on bank computers it targeted modules from various trading systems such as QUIK from ARQA Technologies and TRANSAQ from ZAO. Bot-Trek Intelligence also reports that Corkow gave cybercriminals remote access to the ITS-Broker system terminal enabling the fraud to take place. For the full article click here […]