By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed."Money Taker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise.
In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted.
The latter one was used to deliver a Point-of-Sale (POS) malware dubbed Scan POSTo conduct targeted attacks, Money Taker use a distributed infrastructure that is difficult to track.
A unique feature of the infrastructure is a persistence server, which delivers payloads only to victims with an IP addresses in Money Taker's whitelist.
In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones.
This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones.