Carbanak APT
Virus Type: Advanced Persistent Threat (APT) Carbanak is the name we use for an APT-style campaign targeting (but not limited to) financial institutions. We say APT-like, however the attack is not strictly speaking Advanced. Strictly speaking, the main feature defining the attackers is Persistence. The attackers infiltrate the victim´s network looking for the critical system they can use for cashing money out. Once they have stolen a significant amount of money (from 2.5 to 10 MM USD per entity), they abandon the victim. The main difference with other APT attacks is that attackers do not see data but money as their primary target. The Carbanak criminal gang responsible for the cyberrobbery used techniques drawn from the arsenal of targeted attacks. The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users. Yes, we detect Carbanak samples as Backdoor.Win32.Carbanak and Backdoor.Win32.CarbanakCmd. All Kaspersky Lab’s corporate products and solutions detect known Carbanak samples. To raise the level of protection, it is recommended to switch on Kaspersky's Proactive Defense Module included in each modern product and solution. We also have some general recommendations: There are Indicators of Compromise information included in our detailed technical research paper. Kaspersky Lab urges all financial organizations to carefully scan their networks for the presence of Carbanak and, if detected, report the intrusion to law enforcement. So far, we've observed two main objectives from the attackers: So far, victims of Regin were identified in 14 countries: In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher. Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state. Attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin. Yes, IOC information has been included in our detailed technical research paper.VIRUS DEFINITION
What is Carbanak?
How is this different from any other APT attack?
Does Kaspersky Lab detect all variants of this malware?
How to identify the intrusion?
Is this a nation-state sponsored attack?
What country is behind Regin?
Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?