Return of The Carbanak


Return of The Carbanak

Mar 13, 2016

Almost half a year after its last sighting, the APT (Advanced Persistent Threat) group responsible for stealing more than 1 Billion dollars from dozens of financial institutions, returns in a new more evolved form. Carbanak 2.0 is now utilizing multiple methods to achieve persistence in financial institutions; targeted spearphishing emails with malicious attachments, exploit kits, and actively attacking vulnerabilities in the targets infrastructure. Once inside the network, lateral movement by Carbanak is achieved by using legitimate penetration testing tools and eventually hijacking the local domain controller and locating then gaining control over computers used by the banks employees responsible for payment card processing. The attack lifecycle below illustrates the TTPs (Tactics, Techniques, and Procedures) of Carbanak, courtesy of Kaspersky Lab.

One particular instance of the APT groups activity involved the group planting a cron script into a banks server. The script then sent financial transactions at the rate of $200 per minute using a time specified scheduler to post nefarious transactions directly to the upstream payment processing system. This enabled the APT group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank. What was particularly of concern about the Carbanak attacks waged against banks was that the malware wasn’t discovered until after financial institutions noticed the money was gone.

To better defend yourselves from these attacks remember to stay vigilant and report all suspicious activity to your IT helpdesk or Security Operations Center. Please refer to US-CERTs “Avoiding Social Engineering and Phishing Attacks article:

Also you may reference Kasperskys recommendations on keeping yourself protected:

IOCs (Indicators Of Compromise) are available at the links listed below. Refer to <Content type= sections in the .ioc files for your domains, MD5 hashes, IPs, and URLs to block.

– Steven R.

Advanced Threat Cyber Security Analyst

The latest with QOS Networks

View All