Carbanak cyber-thieves’ newest attacks exposed

The infamous Carbanak group is again doing what it does best: attacks and compromises financial institutions, and tries to steal as much money as possible from them by taking advantage of their victim payment processing networks, ATM networks and transaction systems.

Carbanak became a well-known name in February 2015, when Kaspersky Lab researchers shared what they knew about this gang, which has been operating since late 2013 and has stolen hundreds of millions of dollars – perhaps even a billion – from financial institutions around the world.

Apparently, the gang includes Russian, Chinese and European individuals, and does not discriminate potential targets when it comes to nationality: in the past it targeted financial institutions in Russia, CIS countries, Japan, the US, Latin America and Europe.

Their modus operandi is so successful, that it has been copied by two more cybercrime groups. Also, the group doesn’t seem to want to change it at all, as their attack methods continue to work well year after year.

It all starts with spoofed emails sent to a target organization’s employees (here is just one example):

Carbanak malicious email

If they fall for the ruse and download and run the attached document or follow an offered URL, their machines get saddled with downloader malware that subsequently downloads a variant of the Carbanak (Win32/Spy.Sekur) malware, or a RAT (jRAT, DarkComet, etc.).

Usually, the Carbanak malware variants are signed with a stolen or fraudulent certificate.

In the latest campaigns mounted by the group, the targeted organizations are located in the Middle Easte (UAE, Lebanon, Kuwait, Yemen and others.)

“On March 1st 2016, Proofpoint detected a targeted email sent to hand-picked individuals working for banks, financial organizations, and several professional service companies and companies selling enterprise software. These targets are high level executives and decision makers such as directors, senior managers, regional/country managers, operations managers,” the company’s researchers explained in a whitepaper.

A few days later, another campaign targeted individuals working for financial organizations, mass media, and seemingly unrelated targets in fire, safety, air conditioning and heating. The majority of these targeted organizations are based in Europe and the US. The researchers noted that targeting vendors and suppliers is likely done in order to serve as a stepping stone into the real targets’ networks.