A talk at hillhacks 2016 on the recent Bangladesh Bank heist.
Billion Dollar Hacking
I do payment security at @Razorpay
$101 M stolen
$850 M recovered
Almost a billion dollars :)
From Bangladesh Bank
Federal Reserve Bank of NY
Sri Lanka, Philippines Bank (RCBC)
The malware enumerates all processes, and if a process has the module
liboradb.dll loaded in it, it will patch 2 bytes in its memory at a specific offset.
The patch will replace 2 bytes 0x75 and 0x04 with the bytes 0x90 and 0x90.
SWIFT's Alliance software suite (powered by Oracle Database):
• Reading the Alliance database path from the registry;
• Starting the database;
• Performing database backup & restore functions.
1. Find relevant SWIFT transfers
2. Manipulate them
SELECT MESG_S_UMID FROM SAAOWNER.MESG_%s WHERE MESG_SENDER_SWIFT_ADDRESS LIKE '%%%
s%%' AND MESG_TRN_REF LIKE '%%%s%%';
The MESG_S_UMID is then passed to DELETE statements, deleting the transaction from the local
DELETE FROM SAAOWNER.MESG_%s WHERE MESG_S_UMID = '%s';
DELETE FROM SAAOWNER.TEXT_%s WHERE TEXT_S_UMID = '%s';
sudo make me a millionaire
UPDATE SAAOWNER.MESG_%s SET MESG_FIN_CCY_AMOUNT = '%s' WHERE
MESG_S_UMID = '%s';
UPDATE SAAOWNER.TEXT_%s SET TEXT_DATA_BLOCK = UTL_RAW.
CAST_TO_VARCHAR2('%s') WHERE TEXT_S_UMID = '%s';
The malware intercepts the confirmation SWIFT messages and then sends for
printing the 'doctored' (manipulated) copies of such messages in order to cover
up the fraudulent transactions.
To achieve that, the SWIFT messages the malware locates are read, parsed, and
converted into PRT files that describe the text in Printer Command Language
1. $850 Million was recovered because Fed Bank noticed the fraudulent
2. SWIFT is calling for an update to the Bank network security
a. We have made a mandatory software update available to customers to help them enhance
their security and to spot inconsistencies in their local database records.
3. Other Banks have been targeted by the same vulnerability as well
4. The Treasurer of RCBC has resigned, and the manager of one of its branches
is facing criminal charges after she withdrew $427,000 from an account
linked to the theft.
5. Bangladesh Bank chief governor Atiur Rahman resigned from his post