banking trojans

Carbanak evolved: new versions are detected

New variants of the “legendary” banking Trojan Carbanak are making the rounds on the Web, so far noticed in Europe and the United States.

Yuri Ilyin
September 18, 2015

New variants of the “legendary” banking Trojan Carbanak are making the rounds on the Web, so far noticed in Europe and the United States. Now it has a “proprietary communications protocol”, and the samples seen so far have been digitally signed, Threatpost reported earlier this month.

Great robbery

Upon its discovery earlier this year, Carbanak had been dubbed the first ever purely criminal APT. It was (and is) an ultra-massive money-stealing campaign directly targeting banks. Total losses amounted to $1 billion in February. And if we assume that the campaign is still active, the losses may be considerably larger.

By far it is the most successful criminal cyber campaign we have seen.

Carbanak evolved: new versions are detected #CarbanakAPT
Tweet

Detailed descriptions of the campaign are available in our February post and on Securelist. For now, we’ve updated a couple of details:

1. Carbanak targets banks directly; bank workers are “served” with phishing emails, consequently a backdoor is installed; attackers then search for “relevant” computers, such as those of administrators, to compromise and extract money.

2. Manual action is also present. Attackers explored the banks infrastructure; employed “money mules” to collect cash from the compromised ATMs (mules weren’t required to interact with the ATMs themselves, just to come at the right time).

All in all, according to Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, “The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery”.

New menace

New versions of Carbanak, discovered recently, are said to have some unique characteristics. The malware injects itself into the svchost.exe process as a way to hide itself; however the folder in which Carbanak installs itself and the filename it uses are both static.

#CarbanakAPT is the most successful criminal cyber campaign we have seen. No surprises, it evolves.
Tweet

Carbanak also utilizes plugins, those are installed via Carbanak’s own protocol. They are then communicated with a hardcoded IP address.

The isolated signatures were issued from Comodo to a company in Moscow, Russia.

A proprietary protocol?

Carbanak’s own communication protocol is a head-turner, but it’s well in line with the current trends of malware development. Everything that works evolves further. And Carbanak definitely worked well enough to keep it in active development.

A few general safety recommendations:

Do not open suspicious emails, especially if they have an attachment;
Update your software regularly in order to avoid falling prey to exploits for already-fixed vulnerabilities.

All Kaspersky Lab’s corporate products and solutions detect and block known Carbanak samples.

How to hide from surveillance cameras: the past and the future

Facial recognition algorithms can track your movements with amazing accuracy. But if you know how they work you can trick them.

Privacy & Kids

TARGETED SECURITY SOLUTIONS

Industries

Carbanak evolved: new versions are detected

Banking Trojans in a business wrapper

Why two-factor authentication is not enough

How to hide from surveillance cameras: the past and the future

Tips

Advertisers sharing data about you with… intelligence agencies

Watch the (verified) birdie, or new ways to recognize fakes

Switching to Kaspersky: a step-by-step migration guide

Is it the boss – or is it a fraudster? Scams disguised as urgent orders from top brass

Sign up to receive our headlines in your inbox

Home Products

Small Business Products

Medium Business Products

Enterprise Solutions

Securelist

Eugene Personal Blog

Encyclopedia