{
	"id": "8906acb2-64b9-499a-8e33-b0e4e1000a66",
	"created_at": "2026-04-06T00:13:13.409429Z",
	"updated_at": "2026-04-10T13:12:57.641126Z",
	"deleted_at": null,
	"sha1_hash": "68c3dbb63486acb457927354e5966a9fddda5ff0",
	"title": "Metel – ATM balance rollbacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38374,
	"plain_text": "Metel – ATM balance rollbacks\r\nBy Kaspersky\r\nPublished: 2017-09-13 · Archived: 2026-04-05 23:44:20 UTC\r\nVIRUS DEFINITION\r\nVirus Type: Advanced Persistent Threat, Trojan, Malware.\r\nWhat is Metel?\r\nMetel is a banking Trojan (also known as Corkow) discovered in 2011 when it was used to attack users of online\r\nbanking services. In 2015, the Metel gang began to target banks and financial institutions directly.\r\nWhat it can do?\r\nAfter the infection stage, criminals move laterally with the help of legitimate and pentesting tools, stealing\r\npasswords from their initial victims (entry point) to gain access to the computers within the organization that have\r\naccess to money transactions. With this level of access, the gang has been able to pull off a clever trick by\r\nautomating the rollback of ATM transactions. This means that money can be stolen from ATM machines via debit\r\ncards while the balance on the cards remains the same, allowing for multiple transactions at different ATM\r\nmachines.\r\nWho are the victims of its attacks?\r\nThe victims we observed are limited to banks and financial institutions.\r\nTheir major targets inside these organizations are:\r\nIn banks – the online banking database: criminals can play with the balance on cards.\r\nIn companies - a computer in the accounting department with a Client-Bank system that has access to\r\nmoney transactions. Criminals can replace the banking details of a real transaction or manually process\r\nfraudulent transactions.\r\nServers of Payment APIs: there is software that indicates how much money should be transferred to a\r\nspecific phone number. Criminals can play with this API making it think that a client is transferring 10,000\r\nrubles (around $120) to a large number of phone numbers.\r\nAm I at risk?\r\nSo far Kaspersky Lab researchers have identified attacks only in Russia. Still, there are grounds to suspect that the\r\ninfection is much more widespread, and banks around the world are advised to proactively check for infection.\r\nhttps://www.kaspersky.com/resource-center/threats/metel\r\nPage 1 of 2\n\nHow do I know if I’m infected?\r\nKaspersky Lab products successfully detect and block the malware used by Metel with the following detection\r\nnames:    \r\nTrojan-Dropper.Win32.Metel; Backdoor.Win32.Metel; Trojan-Banker.Win32.Metel\r\nAlso Indicators of Compromise can be found in a blogpost on Securelist.\r\nHow can I protect myself?\r\nTo raise the level of protection, it is recommended that organizations use System Watcher that includes the BSS\r\n(Behavior Stream Signatures) module. This is included in all modern products and solutions.  \r\nTo be on the safe side make sure you are using advanced anti-malware solutions such as Kaspersky Next EDR\r\nOptimum. Also pay attention to your cybersecurity awareness to make sure that you can identify phishing emails\r\nin your email box.\r\nOf course, just offering a multitude of powerful endpoint security layers is not enough. Spear-phishing, one of the\r\nmost popular techniques for initial infection, makes reliable mail security a must. Kaspersky Security for Mail\r\nServer scans incoming emails for both malicious attachments and URLs, significantly reducing the chances of\r\nmalware reaching its victims. \r\nSource: https://www.kaspersky.com/resource-center/threats/metel\r\nhttps://www.kaspersky.com/resource-center/threats/metel\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.kaspersky.com/resource-center/threats/metel"
	],
	"report_names": [
		"metel"
	],
	"threat_actors": [
		{
			"id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa",
			"created_at": "2022-10-25T16:07:23.494355Z",
			"updated_at": "2026-04-10T02:00:04.629595Z",
			"deleted_at": null,
			"main_name": "Corkow",
			"aliases": [
				"Corkow",
				"Metel"
			],
			"source_name": "ETDA:Corkow",
			"tools": [
				"Corkow",
				"Metel"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434393,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/68c3dbb63486acb457927354e5966a9fddda5ff0.pdf",
		"text": "https://archive.orkl.eu/68c3dbb63486acb457927354e5966a9fddda5ff0.txt",
		"img": "https://archive.orkl.eu/68c3dbb63486acb457927354e5966a9fddda5ff0.jpg"
	}
}