New DarkVishnya Attack Targets European Banks

LIFARS Cyber Resilience and Response Subscription Program

Cybercriminals are using physical devices to access corporate networks by walking into these organizations and attaching the devices to computers. Similar, to using keyloggers, this attack dubbed ‘DarkVishnya’ uses devices, other than USB drives to connect to systems; remotely gaining information on networks.

Eight European banks have become victim to these attacks since 2017. The cyber bank robbers attached unknown devices to the computer systems causing tens of millions of dollars in damages. Although, just banks have been found victim, large organizations are possible next targets.

Researchers at Kaspersky Labs, looked into the cyber bank robberies and found connections. Each attack that occurred, involved an unknown, directly connected device to the local network, a central office, regional office, or a location outside the country.

There were one of three devices being connected:

  • A cheap laptop or netbook
  • Raspberry Pi
  • Bash Bunny, a USB-type device that delivers malicious payloads

For the attack to begin, like real bank robbers these criminals need to gain access inside the bank. ossibly Using simple social engineering skills and disguises, criminals could have easily gotten in representing themselves as clients, representatives, postmen, or job seekers. Attaching the devices and blending them in the environment is not too difficult. Devices can easily be hidden in an area with many computers and wires. Further, offices usually have Ethernet ports all over offices, therefore, something being connected to a port would not raise suspicion.

Sergey Golovanov, a researcher at Kaspersky, stated:

“Judging from the fact that a physical device was, in each case, brought inside the building and connected to the bank equipment, we can suggest that it was one of the visitors to each financial institution”

Once the devices were successfully connected, criminals could carry out their attack by scanning the local network for all activities. Potentially, gaining access to web servers, public shared folders, or login credentials. The attackers also tried to brute-force and sniff login information. Shellcodes were planted with local TCP servers to get past firewall restrictions and if a firewall was blocked, the attackers would use a different payload to create tunnels.

Once access to the target system was gained, the cybercriminals would use remote access software, so their access would not be revoked. Further, using msfvenom malicious services were created on the computers. To avoid triggering the defensive systems, the attackers used fileless attacks and Powershell scripts to run commands on the systems.


If you believe your organizations has been a victim to a similar attack, contact LIFARS immediately for assistance.