“Ratopak Malware” attacked on Russian Banks!

Employees of six Russian banks had been targeted by a phishing campaign. Cybercriminals had targeted them by sending a harmful malware Ratopak, which is a spyware. This spyware is capable to take control of infected system. Security researchers at Symantec said that cybercriminals were running this campaign in December 2015.

Cybercriminals were very smart and they were sending emails to the employees of Russian Banks. They were using a domain to send the emails, which was looked like the domain of Central bank of Russia. Attackers were using “cbr.com.ru” domain to send emails and the original domain of bank is “cbr.ru”. Attackers were trying to trick the employees by sending them emails, which had a malicious link. When employees were clicking on this link, a spyware was automatically installing itself into computer system of user.

The security researchers of Symantec noticed many mistakes, which had been done by attackers. They were using a different type of “From to” field to enter the details of sender. The name of the sender in “from to” form and name in the signature were different. These were the mistakes from where researchers came to know that it was a phishing campaign.

How Ratopak was infecting systems of bank Employees?

Researchers said that Ratopak is very harmful Malware. It can work as a keylogger and can collect the key strokes typed by the employees. It can also take screenshots of the computer system. Besides of it, it can exchange the files between infected computer system and C&C server.

Ratopak was a hard coded Malware which was able to hide itself with the extension of “buh”. The meaning of “buh” in Russian language is “accountant”. Employees did not notice it because they think it could an accounting process, running on computer system. Before these Russian banks, many other financial firms were the target of this harmful Malware.

This malware had a quality of termination during code execution, when it recognize any other language expect Russian. Developers of this malware were well skilled and they were using a filter in its source code to do this.

There are a number of cybercriminal groups in Russia and they are experts in hacking banks only to stealing money. Anunak and Carbanak are the two most famous groups of hackers. Both groups had steal more than $1 billion from banks of Russia and many other countries.

It is not clear yet, which group was running this hacking campaign. There could be another new group of hackers behind this.

Source: softpedia