Home / malwarePDF  

CARBANAK


First posted on 01 April 2015.
Source: SecurityHome

Aliases :

CARBANAK is also known as BKDR_CARBANAK.A.

Explanation :

Imagine a targeted attack that aims for financial profit rather than the typical stealing of enterprise's "crown jewels" or confidential data-then you have CARBANAK. According to news reports, a backdoor hit more than 100 banks and financial organizations. The attack, which began late 2013, affected banks across the globe.

What is CARBANAK?

CARBANAK is the detection name related to the targeted attack campaign that hit banks and financial organizations. Based on reports, it employed methods and techniques such as spear phishing email and exploits, commonly seen in targeted attacks. Accordingly, attackers did intelligence gathering about their target networks in order to infiltrate it. Similar to other targeted attacks, they also used spear phishing emails as their point of entry to their attack. Trend Micro detects this as BKDR_CARBANAK.A.

Who are the targets?

The attackers behind CARBANAK malware targets banks and financial institutions located from various countries such as Russia, US, Ukraine, and others countries in Asia Pacific region.

How does the malware enter a network?

Attackers behind CARBANAK send spear phishing emails to their target banks' employees. The said email message has attachments containing known or old exploits such as CVE- 2012-0158, CVE-2013-3906, and CVE- 2014-1761. When successfully exploited, it executes a shellcode, which in turn, executes the CARBANAK malware. In another infection chain, users get a .CPL file attachment which when executed also leads to CARBANAK malware.

Attackers normally leverage old and known exploits given that some users do not immediately patch their systems with new software or system updates.

What happens after the threat actors successfully infiltrate a network?

Once recipients of the spear phishing emails open the said malicious email with attached exploits, CARBANAK malware is executed. One of the notable behavior of this malware is it allows remote users to execute commands such as capturing screenshots when accessing certain websites, stealing cookies, injecting codes to sites so as to monitor it, and deleting cookies from browsers among others. In addition, it also gathers system information.

To move laterally across the network, attackers also used remote administration tools thus reaching their target systems related to processing bank accounts. When they reached their target systems, attackers then recorded videos of the activities and operations of the affected user, probably to familiarize with banking procedures and workflow via their stolen information. Information is used to manipulate bank records and transfer funds into their accounts without being detected.

How the money was stolen

  1. When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks accounts to their own. In the second case the stolen money was deposited with banks in China or America. The experts do not rule out the possibility that other banks in other countries were used as receivers.

  2. In other cases cybercriminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: if an account has 1,000 dollars, the criminals change its value so it has 10,000 dollars and then transfer 9,000 to themselves. The account holder doesnt suspect a problem because the original 1,000 dollars are still there.

  3. In addition, the cyberthieves seized control of banks' ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gangs henchmen was waiting beside the machine to collect the 'voluntary' payment.

Last update 01 April 2015

 

TOP