September 18, 2015

Carbanak evolved: new versions are detected

Business

New variants of  the “legendary” banking Trojan Carbanak are making the rounds on the Web, so far noticed in Europe and the United States. Now it has a “proprietary communications protocol”, and the samples seen so far have been digitally signed, Threatpost reported earlier this month.

Great robbery

Upon its discovery earlier this year, Carbanak had been dubbed the first ever purely criminal APT. It was (and is) an ultra-massive money-stealing campaign directly targeting banks. Total losses amounted to $1 billion in February. And if we assume that the campaign is still active, the losses may be considerably larger.

By far it is the most successful criminal cyber campaign we have seen.

Detailed descriptions of the campaign are available in our February post and on Securelist. For now, we’ve updated a couple of details:

1. Carbanak targets banks directly; bank workers are “served” with phishing emails, consequently a backdoor is installed; attackers then search for “relevant” computers, such as those of administrators, to compromise and extract money.

2. Manual action is also present. Attackers explored the banks infrastructure; employed “money mules” to collect cash from the compromised ATMs (mules weren’t required to interact with the ATMs themselves, just to come at the right time).

All in all, according to Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, “The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery”.

wide

New menace

New versions of Carbanak, discovered recently, are said to have some unique characteristics. The malware injects itself into the svchost.exe process as a way to hide itself; however the folder in which Carbanak installs itself and the filename it uses are both static.

Carbanak also utilizes plugins, those are installed via Carbanak’s own protocol. They are then communicated with a hardcoded IP address.

The isolated signatures were issued from Comodo to a company in Moscow, Russia.

A proprietary protocol?

Carbanak’s own communication protocol is a head-turner, but it’s well in line with the current trends of malware development. Everything that works evolves further. And Carbanak definitely worked well enough to keep it in active development.

A few general safety recommendations:

  • Do not open suspicious emails, especially if they have an attachment;
  • Update your software regularly in order to avoid falling prey to exploits for already-fixed vulnerabilities.

All Kaspersky Lab’s corporate products and solutions detect and block known Carbanak samples.