Carbanak APT still targeting high-value financial institutions and casinos

The Anunak / Carbanak hacking group continues to target banks, but has also now hitting Forex-trading companies, casinos, and other institutions from which it can steal large amounts of money or (mis)usable payment card information.

The group, whose techniques and goals were first revealed by Group-IB and Fox-IT in late 2014, and then by Kaspersky Lab researchers in February 2015, is a rare breed: an APT group that’s unlikely to be state-sponsored, and one that is intent on stealing money, not cyber espionage fueled by political reasons.

The Carbanak hackers’ main victims are not bank account holders, but the financial institutions themselves. The group usually tries to spear-phish an employee of the targeted institution, and if he or she install the sent malware, the group compromises the endpoint and, from it, tries to gain access to the rest of the bank’s network.

When they succeed, they use this access to transfer money from random accounts to accounts they own, or make ATMs dispense cash to an associate of theirs at a predetermined time.

Security researchers have been keeping an eye on the gang’s activities, which continue unabated.

According to ESET researchers, the gang has been targeting financial instituions such as electronic payment services, banks, Forex-trading companies, other companies in Russia, Ukraine, the United Arab Emirates, the US, Germany, and several other countries. They have even targeted a casino hotel in Las Vegas, with the intent of gaining access to the hotel’s PoS servers used in payment processing.

Their modus operandi remains the same: they send fake emails to the victim organizations’ employees, in the hope they will download the attached file and run it.

The attachments usually contain malware that opens a backdoor in the targeted system and maps it, and can download additional malware on it, but the attachment looks like a PDF, a DOC or a RTF document.

These payloads are equipped with exploits for widespread vulnerabilities, and once they do their work, the malware is safely deposited on the system. And, in order to hide the malware’s true nature, the group often digitally signs it with stolen certificates.

The gang doesn’t use just one malware family to carry out its operations but several. While the code in the different families – Carbanak (Win32/Spy.Sekur), Win32/Spy.Agent.ORM, and Win32/Wemosis – is different it does contain similar traits, including the same digital certificate,” ESET researchers noted.

“Furthermore, the attackers are updating their arsenal with the latest exploits, such as the Microsoft Office remote code execution vulnerability, CVE-2015-1770, or the zero-day exploit leaked in the Hacking Team dumps, CVE-2015-2426.”

As the gang continues with attacks, financial institutions around the world would do well to educate themselves about this particular threat.