Sophisticated Malware ‘Carbanak Trojan’ Robbing Banks of a Billion Dollars Returns

Danish cybersecurity researchers have discovered newer and improved variants of the notorious Carbanak Trojan, now surfacing to target banks and financial institutions in U.S. & Europe.

Carbanak, the malware that enabled a cyber-gang to siphon over $1 billion from a hundred financial institutions all over the world has made its presence known again. Peter Kruse, a security specialist at CSIS, details the findings with an analysis in a blog post.

The malware has evolved over time and now has its own proprietary communications protocol and samples researched by security researchers confirm they are digitally signed.

The Billion-Dollar Heist

The Carbanak malware marked a milestone in cybercriminal activity, wherein malicious hackers started to target banks directly, rather than end-users.

Between 2013-15, the Carabank malware was used as a sophisticated exploit to gain remote access to machines in the targeted bank’s network.

  • It started as a spear-phishing campaign via emails containing malicious attachments housing the Carbanak backdoor.
  • Once compromised, the malware enabled malicious hackers to gain remote access to the machine.
  • Over time, the criminals used their ill-gained entry into the bank’s network through the compromised machine to siphon money in multiple ways.

The unprecedented cyber-crime spanning the global banking sector was only discovered due to the efforts of various law enforcement agencies on a global scale and Kaspersky Lab, a cybersecurity company.

These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent.

“The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery,” explained Sergey Golovanov, a Principal Security Researcher at Kaspersky Lab.

The entire Carbanak report can be found here.

Carbanak Makes a Return

Researchers at CSIS have now discovered newer variants of the Carbanak malware with unique characteristics. Specifically, the folder where Carbanak initiates a self-install and the filename used are both static. Additionally, the malware also injects itself into the svchost.exe process to avoid detection.

“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample,” Kruse noted in his analysis.

Like most other sophisticated malware, Carbanak uses plugins and the new variant of the malware show that plugins are installed using Carbanak’s own protocol “with a hard coded IP address over TCP port 443.”

CSIS analyzed the signatures on the samples and discovered them to be from Comodo while the certificate is issued from a Moscow-based company.

Kruse confirms that targets in U.S. and Europe have been struck with new variants of the Carbanak malware.

“Carbanak is what we define as a financial APT. In its nature, it is very targeted, and it is being deployed in small numbers. In this way, it tends to slide under the radar.“

We have observed at least four different new variants of Carbanak targeting key financial personnel in large international corporations,” Kruse added.

A comprehensive report of the original Carbanak malware can be found here.

Featured image from Shutterstock.

Samburaj is the contributing editor at Hacked and keeps tabs on science, technology and cyber security.