A new version of the notorious Carbanak Trojan was spotted in the wild targeting financial organizations in Europe and US. In February, researchers from Kaspersky discovered that a multinational gang of hackers dubbed Carbanak that swiped 1 Billion dollars from 100 financial institutions across 30 countries, most of the victims were located in Russia, US, Germany, China and Ukraine.

Still Active & Alive

Last week the CSIS Security Group discovered that the Carbanak malware is still being used in spear phishing attacks against major organizations in UE and Europe.  CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, they managed to isolate a signed binary, which was later identified as a new Carbanak sample. Full analysis can be found here Carbanak Returns

Carbanak Aims at Financial gains.

According to researchers,
“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”

The experts noticed that binaries used by the recently discovered Carbanak instance are similar to the previous versions, apart for a number of improvement. The new binaries use mutexes and random files, meanwhile the communication with the C&C server relies on a proprietary protocol.

At least four different new variants of Carbanak was identified, targeting key financial personnel in large international corporations.

Carbanak malware signed by Comodo!

The new Carbanak trojan relies on predefined IP addresses instead of domains, in order to improve the evasion capability, its code is signed with a digital certificate issued by Comodo to a Russia-based wholesale company.

One of the new samples analyzed by the researchers was communicating with a C&C server hosted on a bulletproof hosting company.

The CSIS reported the following list of differences between these new variants and the previously observed Carbanak:
  • – new geographical targets
  • – a new proprietary protocol
  • – the use of random files (i. e. main component is static) and mutexes
  • – predefined IP address (previous variants were using domains)

The experts at CSIS defined the Carbanak gang a financial APT due to the targeted attacks it carried out.


Also Read : 

Post a Comment