The advances of the New York Times on the “Carbanak cybergang”
In Valentine’s Day, the New York Times published the news that a group of cybercriminals used a malware to steal at least $300 million from banks and other financial institutions worldwide. The journalists at The New York Times have seen a preview of a report written by the researchers from the Kaspersky Lab following the investigation on a criminal crew dubbed the “Carbanak cybergang”.
The hackers have named the criminal crew “Carbanak cybergang” because of the name of the malware they used to compromise computers at banks and other financial institutions. According to the experts at Kaspersky, the majority of victims was located in are in Russia, but many other infections have been detected in other countries, including Japan, Europe and in the United States.
“Our investigation began in Ukraine and then moved to Moscow, with most of the victims located in Eastern Europe. However thanks to KSN data and data obtained from the Command and Control servers, we know that Carbanak also targets entities in the USA, Germany and China. Now the group is expanding its operations to new areas. These include Malaysia, Nepal, Kuwait and several regions in Africa, among others. The group is still active, and we urge all financial organizations to carefully scan their networks for the presence of Carbanak. If detected, report the intrusion to law enforcement immediately” states the report from Kaspersky.”
Figure 1 – Map of Infections (Kaspersky Lab)
At the time of the disclosure of the news made by The New York Times, the researches at Kaspersky Lab haven’t revealed the names of the banks because of nondisclosure agreements, but according to the experts this malware based campaign could be one of the biggest bank thefts ever.
The investigators discovered that the “Carbanak cybergang” hit more than 100 financial institutions in 30 countries, according to the advances of the popular newspaper, the malicious campaign started in 2013 and there are strong indications that it may still be ongoing.
“In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment.” reported the New York Times.
Initially, the news published by the New York Times reported that Kaspersky has evidence of thefts accounting for $300 million, despite experts speculate that the overall amount maybe three times in value.
Later, various news agencies reported that the hackers have stolen as much as $1 billion from more than targeted institutions in a string of attacks that borrow heavily from targeted attacks against sensitive government and industrial targets.
“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.” Chris Doggett, managing director of the Kaspersky Lab North America market, explained the Times.
How the “Carbanak cybergang” compromised its victims?
The investigation confirmed that the kill chain started with a spear phishing attack that targeted banks internal staff. The Carbanak cybergang used malicious emails to compromise banks’ computer systems, the messages sent to employees of the financial institutions included a link that once clicked triggered the download of a malware.
The Carbanak cybergang used the malware to collect information on the targeted organization, the attackers used the malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.
In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of victims’ screens and have studied what their daily activity in the bank.
In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.
“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.
Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times
The managing director of the Kaspersky North America office in Boston, Chris Doggett, explained that the “Carbanak cybergang,” represents a significant increase in the sophistication of cyberattacks against financial organizations.
“This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert,” Mr. Doggett said.
The US authorities and Interpol with the support of the Kaspersky Lab are already coordinating their efforts in a joint investigation.
“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” said Sanjay Virmani, director of Interpol Digital Crime Center. “It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures.”
Figure 2 – https://www.youtube.com/watch?v=ez9LNudxRIU
The Report issued by the Kaspersky Lab
The experts revealed that the discovery of the Carbanak cybergang was fortuitous, the researchers were investigating on an alleged Tyupkin infection of computer systems at a Ukraine bank. The investigation on the targeted ATMS did not reveal the presence of the Tyupkin malware, but the experts only discovered a VPN configuration (the netmask was set to 126.96.36.199) on the targeted machines.
A few months late Kaspersky was involved in another investigation on a case of a malware attack on a Russian bank. The experts discovered that attackers sent malicious email to employees of the bank with a CPL attachment although in other cases the bad actors attached Word documents exploiting known vulnerabilities.
“The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak.” Reports Kaspersky.
The analysts also speculate that attackers used as additional infection vector a classic drive-by-download attack because they have found evidence of the presence for the Null and the RedKit exploits kits.
After executing the shellcode, a backdoor based on banking malware Carberp is installed on the targeted system, the variant dubbed Carbanak was specifically designed for data exfiltration from targeted systems and allow remote control.
In order to avoid detection the threat actors also digitally signed some instances of the Carbanak malware.
Once compromised the machine, the hackers collect information regarding the relevant computers in the network with the intent to understand how a particular financial institution operates.
Figure 3 -Carbanak kill chain (Kaspersky Lab)
In order to acquire the knowledge about the internal processes of the banks the attackers recorded victims’ operations and took pictures of the screen while they are performing significant actions.
The experts identified the following Cash out the procedures used by the Carbanak cybergang to steal the money from the banks:
- Online banking – hackers transferred money to accounts the control.
- E-payment systems – hackers transferred money to bank accounts in China and US.
- Inflating account balances – databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.
- Controlling ATMs – ATMs were instructed remotely to dispense cash.
The report published by the Kaspersky Lab revealed that that financial losses could be as a high as $1 billion.
Detection and Mitigation
Kaspersky Lab has published a detailed report titled “CARBANAK APT THE GREAT BANK ROBBERY” that includes all the results for the investigation conducted by its experts. The document also includes a detailed list of the ioc indicators of compromise (IoC) for the Carbanak malware used by the hackers.
One of the best methods for detecting Carbanak on infected machine is to look for .bin files in the folder:
The malicious code, in fact, saves files in this location before send them command and control servers when an internet connection is available.
How to avoid the infection?
As usual, it is essential a proper security posture of the company to avoid to be a victim of such kind of attacks. Companies need to adopt a multi layered defensive system, they must update operating systems and applications, but most important is to train the internal staff on the cyber threats and the way to avoid them.
Below some general recommendations provided by Kaspersky:
- Do not open suspicious emails, especially if they have an attachment;
- Update your software (in this campaign no 0days were used);
- Turn on heuristics in your security suites, this way it is more likely that such new samples will be detected and stopped from the beginning.
About the Author
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in identity management, member of the ENISA (European Union Agency for Network and Information Security) )Threat Landscape Stakeholder Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at “Cyber Defense Magazine“, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US.
Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.