Carbanak is a family of trojans most recently involved in the compromise of several banks. It is estimated that Carbanak attacks are responsible for approximately $1 Billion dollars in worldwide losses. Carbanak is being cited as one of the largest cybercrime campaigns ever deployed. It also marks a very significant shift in the techniques used by so called “crimeware” hackers. The Tools, Techniques & Procedures (TTP’s) used by the group behind Carbanak, are more in line with the TTP’s used by nation state sponsored attackers like Deep Panda. The use of lateral movement tools and thorough reconnaissance has been seen in malware designed for cyber espionage or theft of intellectual property, but this is the first time we have seen such tools used in malware designed for financial gain.
Email continues to be one of the most common ways for attackers to gain a foothold within a target network. We see this trend with most Carbanak attacks where a weaponized payload is sent as an email attachment to members of the target network. The payload is often disguised as a seemingly legitimate Windows Control Panel (*.CPL) files delivered through social engineering techniques.
Carbanak uses strong polymorphic CnC communication including completely random URIs and quick changing CnC domains to evade signature based defenses.
Fig 1: Two different Carbanak variants using random URIs.
Relationship With Carberp:
Carberp is an old piece of malware that was widely used to steal credit card and other financial information. We believe that the threat actors behind Carberp are now operating Carbanak as well. Below are some similar traits between Carberp and Carbanak malware.
- Downloads modules with .plug extension from its command and control servers (CnCs)
- Targets financial firms.
- Uses Ammyy Admin module for remote desktop access.
- Kills existing anti-virus (AV) process if target machine is using a local AV client.
The very first variants of Carberp, communicated with CnCs using a HTTP POST request, sending all the stolen information in plain text. Over time the malware evolved to use encrypted communications with all its CnCs. Carberp was constantly improved to make it bigger, better and stronger. We believe that Carbanak represents the culmination of these efforts and is capable of doing significantly more damage while still going unnoticed.
The threat actors behind the Carbanak and Carberp malware have shown considerable understanding and expertise in compromising financial firms. Their skills combined with the money they have stolen over the years, makes them a very dangerous group. We expect that this group will continue to evolve and engage in more sophisticated attacks in the future.