ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool MoneyTaker

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: MoneyTaker

NamesMoneyTaker
CategoryMalware
TypeBanking trojan
Description(Group-IB) In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced. In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.
Information<https://www.group-ib.com/blog/moneytaker>

Last change to this tool card: 19 April 2020

Download this tool card in JSON format

All groups using tool MoneyTaker

ChangedNameCountryObserved

APT groups

 MoneyTakerRussia2016 

1 group listed (1 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key