Carbanak source code leak: What’s next?

The source code of infamous, billion-dollar malware was found on VirusTotal. Here’s what we know about it and what to expect next.

They remotely instructed ATMs to dispense cash, which mules collected.

Recently, news about Carbanak broke on various media outlets. Security researchers had found the source code of the infamous malware on the open VirusTotal portal. Carbanak is known as the most successful financial cyberthreats to date, causing estimated financial losses of as much as $1 billion.

A look back at Carbanak history

Our experts initially discovered and analyzed Carbanak back in 2014. They had begun investigating numerous incidents of cash being stolen from bank ATMs, but discovered that those incidents were linked — it was a huge international campaign aimed at stealing a lot of money from various banks all over the world. Initially, our experts were investigating incidents only in Eastern Europe, but they soon found more victims — in the US, Germany, and China.

Like many other attacks, this campaign started with spear phishing. In this case, it was well-aimed e-mail armed with malicious attachments that installed a back door based on Carberp malware. That back door provided entry into the target organization’s entire network — in this case, banks’ networks — compromising computers that could give the malefactors an opportunity to extract money.

The perpetrators had several paths to the money. In some cases, they remotely instructed ATMs to dispense cash, which mules collected. In others, they used the SWIFT network to transfer money directly into their accounts. These methods were not widely exploited back in 2014, so the scale and the technologies Carbanak employed shook both the banking and the cybersecurity industry.

What does the future hold?

Since Carbanak’s discovery, our experts have seen several attacks (Silence, for example) attempting similar tactics and tracked other signs of the same criminal group, which remained quite active. But now that Carbanak’s source code has gone public, such incidents may become significantly more frequent; it’s now available to malefactors who lack the coding skills to produce such complicated malware on their own. Kaspersky Lab researcher Sergey Golovanov, who has investigated this case from the start, has something to say about that:

“The fact that the source code of the infamous Carbanak malware was available on an open source website is a bad omen. Indeed, the Carbanak malware itself was initially built on the source code of Carberp malware after it was published online. We have every reason to believe that this scenario is only going to repeat itself and that we will see some dangerous modifications of Carbanak in the future. The good news is that since the Carberp leak, the cybersecurity industry has evolved significantly, and can now easily recognize the modified code. We urge companies and individuals to protect themselves against this and future threats with a robust security solution.”

How to stay safe

To protect yourself from threats such as Carbanak, we recommend the following measures:

  • Integrate Threat Intelligence feeds into your SIEM and other security controls to get access to the most relevant and up-to-date threat data and to prepare for future attacks. To protect against such advanced threats, ideally you need to know about them and know what to look for, and threat intelligence feeds provide that essential information.
  • Implement EDR solutions such as Kaspersky Endpoint Detection and Response for endpoint-level detection, investigation, and timely remediation of incidents. Detecting a sample of Carbanak-like activity on one endpoint requires immediate reaction, and this is where EDR solutions can help.
  • Implement a corporate-grade security solution that detects advanced threats on the network level at an early stage, such as Kaspersky Anti Targeted Attack Platform, in addition to adopting essential endpoint protection.