{ "id": "c9439161-5a9d-40f4-b671-1271cc6092fb", "created_at": "2026-04-06T00:07:37.401446Z", "updated_at": "2026-04-10T03:35:16.933887Z", "deleted_at": null, "sha1_hash": "894ee40df27ecc1c7eaa7bd6a2ca715ab62fc643", "title": "Metel Bank Robbers Borrowing from APT Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 595446, "plain_text": "Metel Bank Robbers Borrowing from APT Attacks\r\nBy Michael Mimoso\r\nPublished: 2016-02-08 · Archived: 2026-04-05 17:40:34 UTC\r\nAt the Security Analyst Summit, Kaspersky Lab researchers unveiled three cybercrime outfits—Metel, GCMAN,\r\nand Carbanak 2.0—targeting Russian banks with APT-style tactics.\r\nTENERIFE, Spain— Many bank robbers long ago dropped the stick-up man persona in favor of a keyboard and a\r\nreliable password-stealing Trojan.\r\nBanking malware, however, may soon not be good enough for the bad guys. More and more are copycatting the\r\ntechniques deployed by advanced hackers to steal millions of dollars from banks and other financial institutions.\r\nToday at the Security Analyst Summit, researchers from Kaspersky Lab Global Research \u0026 Analysis Team\r\nunveiled details on two new criminal operations that have borrowed heavily from targeted nation-state attacks, and\r\nalso shared an update on a resurgent Carbanak gang, which last year, it was reported, had allegedly stolen upwards\r\nof $1 billion from more than 100 financial companies.\r\nThe heaviest hitter among the newly discovered gangs is an ongoing campaign, mostly confined to Russia, known\r\nas Metel. This gang targets machines that have access to money transactions, such as call center and support\r\nmachines, and once they are compromised, the attackers use that access to automate the rollback of ATM\r\ntransactions. As the attackers empty ATM after ATM—Metel was found inside 30 organizations—the balances on\r\nthe stolen accounts remained untouched.\r\nKaspersky Lab said one Russian bank lost millions of rubles in a single night.\r\n“The bank’s clients were withdrawing from ATMs belonging to other banks and were able to cash out huge sums\r\nof money while the balances remained untouched. It was a surprise for the victim bank to hear from other banks\r\nwhen they tried to recoup the money withdrawn from their ATMs.”\r\nKaspersky Lab added that it was not able to share specifics about the banks involved because of an ongoing law\r\nenforcement investigation. Indicators of compromise were released today on Securelist.com.\r\nMetel, the Russian word for blizzard, burrows its way into a financial organization using cleverly crafted spear\r\nphishing emails laced with malware, or luring victims to sites hosting the Niteris exploit kit. The malware steals\r\nsystem information including process lists and screenshots, sending it to the attackers who evaluate whether the\r\ninfected machine is interesting enough load the remainder of the Metel malware package.\r\nThe malware contains more than 30 modules—some homemade, some taken from publicly available sources. The\r\nattackers also use legitimate pen-testing tools such as mimikatz, which is freely available and used by analysts to\r\nextract plaintext passwords, hashes, PIN codes and Kerberos tickets from the memory of Windows machines.\r\nhttps://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/\r\nPage 1 of 4\n\nUsing this stolen data, the attackers are available to pivot internally, stealing credentials until they landed on a\r\ndomain controller. With the reins of a domain controller, the attackers could extend their reach onto any machine.\r\n“Our investigations revealed that the attackers drove around in cars in several cities in Russia, stealing money\r\nfrom ATMs belonging to different banks,” Kaspersky Lab said in a report published today. “With the automated\r\nrollback the money was instantly returned to the account, when the cash has already been dispensed from the\r\nATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.”\r\nThe second group unveiled today is known as GCMAN, so-called because the malware is based on code compiled\r\non the GCC compiler. It too has adopted some APT-style techniques to pull off stealthy attacks, some without the\r\nuse of malware, just with legitimate pen-testing tools, including VNC, Putty and Meterpreter. These tools were\r\nused to pivot inside the compromised network—initial compromises were carried out via spear-phishing and a\r\nmalicious RAR archive disguised as a Word document—until they had access to computers used to transfer\r\nmoney to e-currency services without alerting other detection systems inside the bank.\r\nResearchers at Kaspersky said that in one attack, the criminals had access to the network for 18 months before\r\nstealing any money. Once they did, they were transferring $200 payments per minute using the CRON scheduler\r\nto execute malicious scripts and move money to a money-mule account. Those transaction orders were sent to an\r\nupstream payment gateway, Kaspersky Lab said, and were never logged by the bank’s internal systems.\r\n“The group used an MS SQL injection in commercial software running on one of bank’s public web services, and\r\nabout a year and a half later, they came back to cash out. During that time they poked 70 internal hosts,\r\nhttps://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/\r\nPage 2 of 4\n\ncompromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers),”\r\nKaspersky Lab said in its report today. “We discovered that about two months before the incident, someone was\r\ntrying different passwords for an admin account on a banking server. They were really persistent. They were doing\r\nit only on Saturdays, only three tries per week, all in an effort to stay under the radar.”\r\nAfter Carbanak had been outed a year ago, researchers believed the criminals had closed up shop. But last\r\nSeptember, researchers at CSIS in Denmark spotted new Carbanak samples. Four months later, Kaspersky said it\r\nfound Carbanak samples inside a telecommunications company and a financial organization, confirming the gang\r\nwas still in business.\r\n“One interesting new characteristic of Carbanak 2.0 is a different victim profile,” Kaspersky Lab said in its report.\r\n“The group has moved beyond banks and is now targeting budgeting and accounting departments in any\r\norganization interesting to them with the same APT-style tools and techniques.”\r\nThe criminals behind Carbanak used the access they had to computers inside one organization to change\r\nownership data from the rightful owners to a money mule under their control.\r\nCarbanak, too, covets domain controllers in order to move money and data off networks to money mule accounts.\r\n“The information was modified to display the passport info and name of a money mule as a shareholder of the\r\ncompany, and subsequent attempts were made to prove that the hacking group’s accomplice was co-owner of a\r\nmajor corporate entity,” Kaspersky Lab said in its report.\r\nhttps://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/\r\nPage 3 of 4\n\nSource: https://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/\r\nhttps://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://threatpost.com/spree-of-bank-robberies-show-cybercriminals-borrowing-from-apt-attacks/116173/" ], "report_names": [ "116173" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434057, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/894ee40df27ecc1c7eaa7bd6a2ca715ab62fc643.pdf", "text": "https://archive.orkl.eu/894ee40df27ecc1c7eaa7bd6a2ca715ab62fc643.txt", "img": "https://archive.orkl.eu/894ee40df27ecc1c7eaa7bd6a2ca715ab62fc643.jpg" } }