One Friday, around about lunchtime, a Russian bank placed a set of orders totaling more than 500 million USD on an interbank currency trading system. The orders made the ruble-dollar rate swinging between 55 and 66 RUB/USD – a range by order of magnitude bigger than normal. While the bank, Kazan-based Energobank, only suffered marginal financial losses, it is still a notable incident - it was not unwary trader who placed the orders, but malware.
Interestingly, this all took place a year ago. However, details have been published only recently, delayed by investigations by Energobank, the Russian central bank, the Moscow Exchange and also the police. Energobank hired Group-IB, an information security consultancy; ESET; and a few other companies from the information security sector to assist in the investigations.
The Corkow malware
The malware used for the attack at Energobank’s currency trading platform was Corkow, which ESET has kept in sight since its detection in 2011. Security blogger Graham Cluley has written an overview on the trojan, while ESET's Robert Lipovsky has delivered an insightful technical analysis on Corkow.
Although Corkow is not that 'famous', it is still a very capable banking trojan. The reason it is not so well known is that it is used mostly for attacks on corporate banking, and even banks themselves, as opposed to 'retail' banking trojans like Hesperbot.
Just like other advanced banking trojans, Corkow has modular architecture so attackers can use different plug-ins, as per their actual needs. And, most importantly, Corkow has modules for several remote banking systems and trading platforms.
"Another important Corkow’s feature is its ability to evade detection and persist in the infected system unnoticed in its form of a DLL file.," commented Anton Cherepanov, a malware researcher at ESET.
The attack on the trading system
As the investigations have shown, the malware made its way into the bank’s system in September 2014, infecting one of the computers on the trading platform. Later, the criminals harvested credentials they needed and, finally, they were able to launch their own trading software and effectively took over the system from its legitimate operator.
The malicious action consisted of a series of orders to buy and sell US dollars. Despite not being executed in full, the orders resulted in 160 million USD being bought and over 90 million USD sold.
The RUB/USD exchange rate became extremely volatile under such trades that were totally incompatible with previous market developments. The volatility allowed for buying dollars for 59.07 RUB/USD and selling them for 63.35 RUB/USD. Such spread is absurdly high and highly unlikely under standard market conditions. However, the trading volumes were not high enough for the attackers to make a significant profit from these spot operations.
The attack lasted only 14 minutes and "immediately after the attack, the malware received a command to wipe itself form the infected system and remove all traces of its activities,“ explained Mr. Cherepanov.
The outcome
The attack on the Energobank’s trading platform was successful because the cybercriminals were able to take over the trading mechanism and perform trades at their will. But, based on the available information, they did not make money directly from their operations.
"There might be several explanations of how the criminals capitalized on their attack,“ said Mr. Cherepanov.
One possibility, he continued, is that the criminals also took advantage of knowing what the market development was going to be via deals on the futures market. Or maybe there were third parties involved who made a profit out of the market manipulation.
"Or maybe the whole exercise was only a pilot. And now, when the criminals get sure that they really can manipulate the market, we could expect another attacks,“ concluded Mr. Cherepanov.