{"id":3598,"date":"2015-02-17T14:32:57","date_gmt":"2015-02-17T14:32:57","guid":{"rendered":"http:\/\/kasperskydaily.com\/b2b\/?p=3598"},"modified":"2020-02-27T03:53:27","modified_gmt":"2020-02-26T16:53:27","slug":"the-great-bank-robbery-carbanak-apt","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.au\/blog\/the-great-bank-robbery-carbanak-apt\/3598\/","title":{"rendered":"The Great Bank Robbery: Carbanak APT"},"content":{"rendered":"

Kaspersky Lab has discovered an ultra-massive money-stealing campaign codenamed Carbanak APT with total losses summing up to $1 bn so far. The campaign is still active. Kaspersky Lab\u2019s researchers Sergey Golovanov and Sergey Lozhkin presented the research on Carbanak yesterday at the Kaspersky Security Analyst Summit. Follow the live blog here<\/a>.<\/p>\n

One day there will be a movie<\/strong><\/p>\n

In late 2014 Kaspersky Lab has predicted<\/a> that money-minded criminals are going to switch targets moving closer to the point of their interest. Simply put, they\u2019ll attack banks. This is just what has happened. According to information provided by law enforcement agencies and the victims themselves, total financial losses could be as a high as $1 billion, making this by far the most successful criminal cyber campaign we have ever seen. Perhaps one day there will be a movie, as with the Great Gold Robbery of 1855.<\/p>\n

Around the world <\/strong><\/p>\n

Coming back to the point, Carbanak investigation started in Ukraine where money had been siphoned mysteriously straight from the ATM. It then moved to Moscow; most of the victims are located in Eastern Europe, but, thanks to the data obtained from the Command and Control servers, we know that Carbanak also targets entities in the USA, Germany and China.<\/p>\n

https:\/\/twitter.com\/k1k_\/status\/567406121636220930<\/p>\n

A backdoor and a manual recon<\/strong><\/p>\n

From what is known so far, attackers plant a Carberp-based backdoor into their victims\u2019 systems. The initial attack starts with a spear phishing e-mail with a malicious attachment; there were also cases where Word documents exploiting known vulnerabilities were used. After executing the shellcode, the backdoor is brought in.<\/p>\n

Interestingly, attacker then proceed on performing a manual reconnaissance, trying to detect and compromise \u201crelevant\u201d computers, such as those of administrators. Their actual points of interest are the systems through which it is possible to extract money.<\/p>\n

To understand how a particular bank operates, infected computers were used to record videos that were then sent to the Command and Control servers. The relatively poor quality of the videos was still good enough for the attackers, armed also with the keylogged data for that particular machine to understand what the victim was doing. This provided them with the knowledge they needed to cash out the money.<\/p>\n

Cash \u2019em out<\/strong><\/p>\n

During the investigation several ways of cashing out had been found. Either ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules; or the SWIFT network was used to transfer money out of the organization and into criminals\u2019 accounts. Also, databases with account information could have been altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.<\/p>\n

The campaign had been active since, presumably, December, 2013. The peak of infections was recorded in June 2014, the campaign is still active, thus barely any financial organization can feel totally safe.<\/p>\n