Download the full version of the report PDF (eng)
The Carbanak story began when a Ukrainian bank approached us with a request for help in conducting a forensic investigation. Someone was mysteriously stealing money from ATMs. At first, we were inclined to believe that this was the result of the Tyupkin malware. However, after examining the ATM's hard drive, we found nothing except rather strange VPN settings (the network mask was set to 172.0.0.0).
At that time, we regarded this incident as an ordinary malicious attack. However, a few months later, one of our experts received a call from an account manager at three in the morning and asked to urgently call a certain number. The security director of a Russian bank answered the call. One of the bank's systems issued a warning about sending data from a domain controller to the People's Republic of China.
Upon arrival, we quickly discovered malware in the system. We wrote a batch script to remove malware from infected computers and ran it on all bank computers. We ran the script several times until we were sure that the malware was removed from all machines. Naturally, we saved the malicious samples - thanks to them we became acquainted with Carbanak.
modus operandi
During further forensic analysis, we were able to determine the point of initial infection - it was a spear-phishing email containing an attachment in CPL format; However, in other cases of infection, Word documents with exploits for known vulnerabilities embedded in them were used. After executing the shellcode, a backdoor based on the Carberp code is installed on the system, which is now known as Carbanak. It is designed for spying, data theft and remote control of an infected system.After gaining access to a victim organization's network, attackers conduct manual reconnaissance, attempting to hack targeted computers (for example, administrators' computers) and using tools to further infect computers on the network. In other words, once they have access to the network, they will jump from one computer to another until they find the object they are interested in. The choice of such objects varies from attack to attack. What they have in common is that each of them allows attackers to withdraw funds from a financial institution whose computers are infected.
The group behind Carbanak may not have information about the intricacies of the work of each of the attacked banks, since work is organized differently in different organizations. Therefore, in order to understand how each specific bank operated, infected computers were used to record video material, which was then sent to command and control servers. Despite the relatively low quality of the video recording, it allowed the attackers, who also had data collected on the same computers using keyloggers, to understand what the victim was doing. This gave the attackers the opportunity to obtain information sufficient to organize the withdrawal of funds.
Withdrawal methods
During the investigation, we discovered that the withdrawal of funds was carried out in several ways:- ATMs received - without the attackers directly interacting with them - a remote command to dispense cash. After that, the money given out was taken away by “money mules”.
- Money was transferred from a financial institution to the accounts of cybercriminals through the SWIFT network.
- Databases containing account information were altered to create fake accounts with relatively high balances, after which money mules took the funds.
Infections and damages
Since the beginning of the investigation into this malicious campaign, we have worked closely with law enforcement authorities monitoring the activities of the Carbanak group. Thanks to this, we know that about 100 financial organizations were affected as a result of the group’s activities. In at least half of the cases, criminals managed to withdraw funds from infected organizations. The losses of each of the banks range from 2.5 to approximately 10 million dollars. However, according to information provided by law enforcement agencies and the victims themselves, total losses could reach a billion dollars, making Carbanak the most successful cybercrime campaign known to us.Our investigation, which began in Ukraine, then moved to Moscow; and most of the victims of the malicious campaign ended up in Eastern Europe. However, we know from KSN data, as well as data obtained from command and control servers, that the Carbanak campaign is also targeting organizations in the United States, Germany and China. Now the group is expanding the geography of its activities, including new zones. These include, in particular, Malaysia, Nepal, Kuwait, as well as some regions of Africa.
The group remains active and we encourage all financial institutions to thoroughly check their networks for the presence of Carbanak. If found, immediately report it to law enforcement authorities.
A detailed description of the malicious campaign, as well as infection indicators and a list of countries, can be found in our detailed report.
To check your network for Carbanak infection, you can use the open IOC indicator file, which is available here.
FAQ
What is Carbanak?
Carbanak is the name we use to refer to an APT-style campaign targeting (but not limited to) financial institutions. The main difference between Carbanak and other APT attacks is that in this case the main goal of the attackers is not to obtain data, but money. We say that this is an APT (Advanced Persistent Threat) style attack; however, one can only talk about increased complexity in this case with a stretch. Strictly speaking, the main distinguishing feature of a campaign is its duration.We named the backdoor Carbanak because it is based on the Carberp code and its configuration file name is anak.cfg.
What are the goals of this malicious campaign?
Attackers penetrate the network of a victim organization and look for a critical system through which funds can be withdrawn from the organization. Having stolen a significant amount from an organization (from 2.5 to 10 million dollars), the attackers leave the victim alone.Why do you think this threat is significant?
Banking institutions have always been the most important targets for attacks by cybercriminals. However, almost always the direct targets of attacks on banks were their clients. In this case, financial organizations themselves are subject to attack by cybercriminals. This is an unprecedented, targeted, professionally organized and well-thought-out campaign that uses every opportunity to withdraw the maximum amount of funds from the attacked organization, and they obviously set the maximum for themselves.What can you say about the time frame of the campaign?
Based on the information we have, the first malicious samples were compiled in August 2013, when cybercriminals began testing the Carbanak malware. The first infections were discovered in December 2013.On average, it took two to four months to rob each bank, from infecting the first computer on the bank’s corporate network to withdrawing funds.
We believe that the first successful thefts of funds carried out by this group occurred between February and April 2014. The peak number of infections was recorded in June 2014.
At the moment, the campaign is still in the active phase.
Why haven't you published information about this campaign yet?
In examining this campaign, we have been cooperating from the outset with the various law enforcement agencies involved in the investigation of this threat and providing them with all the assistance we could. As the investigation is still ongoing, we have been asked not to release further details until it is safe to do so.Have you contacted victims and CERT (Computer Emergency Response Teams) focal points in the countries where you discovered the infections?
Yes, this investigation has become a joint operation between Kaspersky Lab's Global Research Center (GReAT) and international organizations, national and international law enforcement agencies, and several CERT centers around the world.One of our most important goals was to disseminate information about this malicious campaign and infection indicators to known and potential victims. We used national CERT centers and law enforcement agencies as a channel for disseminating information.
What contribution did you make to the investigation?
We are involved in investigations and countermeasures to stop cybercriminals and malware. During investigations, we provide expert support such as analysis of infection vectors, malware, C&C infrastructure and vulnerability exploitation techniques.How was the malware distributed?
The attackers sent targeted emails containing malicious attachments to employees of the attacked financial institutions, and in some cases the messages were sent to personal addresses. We believe that drive-by download attacks were also used, but the latter assumption cannot be considered 100% justified.What is the potential harm to victims of attacks?
Based on the amounts stolen by the attackers, new victims risk losing up to $10 million. However, this amount is based on the information we have about attacks that have already been carried out - there is nothing to limit the potential damage once computers on a financial institution's network are infected.Name the victims of the campaign. What is its scale?
The victims are primarily organizations in the financial sector; At the same time, we found traces of infection in cash registers and PR agencies. To get an idea of the scale of the campaign, please study the graphs and maps presented in our report.As with many other malicious campaigns, the analysis of this malware is carried out by different companies and individual specialists, during which the command server receives requests. When analyzing these servers, all we see are IP addresses and only sometimes some additional data. When there is no additional data and it is impossible to determine its owner based on the IP address, we interpret this as an infection.
The results of our analysis, based on the approach described above, indicate that Russia, the United States, Germany and China suffered more than other countries from attacks.
How can corporate users protect themselves from such attacks? Does Kaspersky Lab protect its users?
Yes, we detect Carbanak samples as Backdoor.Win32.Carbanak and Backdoor.Win32.CarbanakCmd.All Kaspersky Lab enterprise products and solutions detect known Carbanak samples. To increase the level of protection, it is recommended to enable the proactive protection module, which is included in all modern Kaspersky Lab products and solutions.
We can also offer some general recommendations:
- Don't open suspicious emails, especially if they contain attachments.
- Keep software updates up to date (no zero-day threats were used in this campaign).
- Incorporate heuristic threat detection into your comprehensive security solutions to increase the likelihood of detecting and blocking new malware.
