Corcow Trojan manipulates currency rates

A Russian-language banking Trojan has been found manipulating the ruble-dollar exchange rate

Corcow deflated the ruble by 15 percent in a short space of time
Corcow deflated the ruble by 15 percent in a short space of time

A Trojan has been found manipulating the ruble-dollar exchange rate.  Hackers apparently used malware on Russian bank, Energobank, in 2015 to to place nearly £350 million worth of orders at non-market prices and manipulate the ruble-dollar rate by 15 percent in mere minutes.

That swing meant that the exchange rate went from 55 to 66 rubles per dollar in international currency markets and meant losses of over £2 million for Energobank. News outlet, The Hill, reports that 250 banks used the system, resulting in “hundreds of millions of stolen rubles”.

The incident sparked an investigation by Russia's central bank which suspected currency manipulation but found nothing and concluded that the swing could have been caused by traders making mistakes. 

The hackers, who international cyber-security company Group-IB identified as Russian-speaking, used the Corcow Trojan to carry out the currency manipulation.

Corcow has been around for a while, apparently claiming 250,000 computers and infecting 100 financial bodies since its first appearance in 2011.

The Trojan offers a lot of what other banking Trojans offer: keylogging, web injection and so on. 

It's described as a flexible piece of malware, with the ability to load various modules that change its function. What's important about this particular Trojan, though, is it can hide from antivirus software and remain undetected on compromised systems for extended periods of time.

Energobank closed in February 2015, the same month it was attacked, declared insolvent by the Ukrainian government. 

The National Bank of Ukraine issued a statement saying: “Given ENERGOBANK PJSC's involvement in risky activities in January, as evidenced by deteriorating performance indicators and numerous complaints from bank clients, the bank was declared insolvent.” Because of Ukrainian banking secrecy laws, the bank couldn't tell SCMagazineUK.com whether the closure of Energobank was a result of cyber attacks.

There were similar stirrings in the financial world last year when a group of talented hackers ran a 'pump and dump' scam and stole the personal details of 100 million customers of the banking giant JP Morgan.

SC spoke to Robert Pritchard, an associate fellow at the Royal United Services Institute and an incident response specialist with a great deal of experience in cyber-security in finance. 

We might be seeing hackers trying to get into finance, said Pritchard, adding: "What's difficult is how you would make money out of that.” 

Unless you were “trying to undermine trust in the system”, said Pritchard, ”I think you have to have some follow up activity. What would you get it to do to make money?"