Threat Intelligence

Carbanak Cybergang Swipes Over $1 Billion from Banks

Pierluigi Paganini
February 18, 2015 by
Pierluigi Paganini

The New York Times on the "Carbanak cybergang"

On Valentine's Day, The New York Times published the news that a group of cybercriminals used a malware to steal at least $300 million from banks and other financial institutions worldwide. The journalists at The New York Times saw a preview of a report written by the researchers from the Kaspersky Lab following the investigation of a criminal crew dubbed the "Carbanak cybergang."

The criminal crew is named "Carbanak cybergang" because of the name of the malware they used to compromise computers at banks and other financial institutions. According to the experts at Kaspersky, the majority of victims are located in Russia, but many other infections have been detected in other countries, including Japan, Europe and in the United States.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

"Our investigation began in Ukraine and then moved to Moscow, with most of the victims located in Eastern Europe. However thanks to KSN data and data obtained from the Command and Control servers, we know that Carbanak also targets entities in the USA, Germany and China. Now the group is expanding its operations to new areas. These include Malaysia, Nepal, Kuwait and several regions in Africa, among others. The group is still active, and we urge all financial organizations to carefully scan their networks for the presence of Carbanak. If detected, report the intrusion to law enforcement immediately", states the report from Kaspersky.

Figure 1 - Map of Infections (Kaspersky Lab)

At the time of disclosure by The New York Times, researchers at Kaspersky Lab hadn't revealed the names of the banks because of nondisclosure agreements, but according to the experts, this malware based campaign could be one of the biggest bank thefts ever.

The investigators discovered that the "Carbanak cybergang" hit more than 100 financial institutions in 30 countries, and according to the advances of the popular newspaper, the malicious campaign started in 2013 and there are strong indications that it may still be ongoing.

"In late 2013, an A.T.M. in Kiev started dispensing cash at seemingly random times of day. No one had put in a card or touched a button. Cameras showed that the piles of money had been swept up by customers who appeared lucky to be there at the right moment", reported The New York Times.

Initially, the news published by The New York Times reported that Kaspersky has evidence of thefts accounting for $300 million, but experts speculate that the overall amount maybe three times that figure.

Later, various news agencies reported that the hackers stole as much as $1 billion from more targeted institutions in a string of attacks that borrow heavily from targeted attacks against sensitive government and industrial targets.

"This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert", Chris Doggett, managing director of the Kaspersky Lab North America market, explained to The Times.

How the "Carbanak cybergang" compromised its victims

The investigation confirmed that the kill chain started with a spear phishing attack that targeted banks' internal staff. The Carbanak cybergang used malicious emails to compromise banks' computer systems. The messages sent to employees of the financial institutions included a link that, once clicked, triggered the download of a malware.

The Carbanak cybergang used the malware to collect information on the targeted organization. The attackers used malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.

In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once they had infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of victims' screens and studied their daily activities in the bank.

In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

"The bank's internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries," reported the New York Times

The managing director of the Kaspersky North America office in Boston, Chris Doggett, explained that the "Carbanak cybergang," represents a significant increase in the sophistication of cyberattacks against financial organizations.

"This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert," Mr. Doggett said.

The US authorities and Interpol with the support of the Kaspersky Lab are already coordinating their efforts in a joint investigation.

"These attacks again underline the fact that criminals will exploit any vulnerability in any system," said Sanjay Virmani, director of Interpol Digital Crime Center. "It also highlights the fact that no sector can consider itself immune to attack and must constantly address their security procedures."

Figure 2 - https://www.youtube.com/watch?v=ez9LNudxRIU

The report issued by Kaspersky Lab

Experts revealed that the discovery of the Carbanak cybergang was fortuitous. Researchers were investigating an alleged Tyupkin infection of computer systems at a Ukraine bank. The investigation on the targeted ATMS did not reveal the presence of the Tyupkin malware, but the experts discovered a VPN configuration (the netmask was set to 172.0.0.0) on the targeted machines.

A few months later, Kaspersky was involved in another investigation on a case of a malware attack on a Russian bank. The experts discovered that attackers sent a malicious email to employees of the bank with a CPL attachment, although in other cases the bad actors attached Word documents exploiting known vulnerabilities.

"The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak," reports Kaspersky.

The analysts also speculate that attackers used a classic drive-by-download attack as an additional infection vector, because they found evidence of the presence for the Null and the RedKit exploit kits.

After executing the shellcode, a backdoor based on banking malware Carberp is installed on the targeted system. The variant dubbed Carbanak was specifically designed for data exfiltration from targeted systems and to allow remote control.

In order to avoid detection, the threat actors also digitally signed some instances of the Carbanak malware.

Once they had compromised the machine, the hackers collected information regarding the relevant computers in the network with the intent to understand how a particular financial institution operates.

Figure 3 - Carbanak kill chain (Kaspersky Lab)

In order to acquire knowledge about the internal processes of the banks, the attackers recorded victims' operations and took pictures of the screen while they were performing significant actions.

The experts identified the following cash out procedures used by the Carbanak cybergang to steal money from the banks:

  • Online banking – hackers transferred money to accounts they control.
  • E-payment systems – hackers transferred money to bank accounts in China and the US.
  • Inflating account balances – databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.
  • Controlling ATMs - ATMs were instructed remotely to dispense cash.

The report published by Kaspersky Lab revealed that that financial losses could be as a high as $1 billion.

Detection and mitigation

Kaspersky Lab has published a detailed report titled "The Great Bank Robbery: Carpanak APT" that includes all the results for the investigation conducted by its experts. The document also includes a detailed list of the indicators of compromise (IoC) for the Carbanak malware used by the hackers.

One of the best methods for detecting Carbanak on an infected machine is to look for .bin files in the folder:

..All users%AppData%Mozilla

The malicious code, in fact, saves files in this location before sending them command and control servers when an Internet connection is available.

How to avoid infection

As usual, it is essential to have a proper security posture of the company to avoid becoming a victim of such attacks. Companies need to adopt a multi-layered defensive system, they must update operating systems and applications, and most importantly, they must train internal staff on cyber threats and the way to avoid them.

Below some general recommendations provided by Kaspersky:

  • Do not open suspicious emails, especially if they have an attachment;
  • Update your software (in this campaign no 0days were used);
  • Turn on heuristics in your security suites, this way it is more likely that such new samples will be detected and stopped from the beginning.

References

https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/

http://www.nytimes.com/2015/02/15/world/bank-hackers-steal-millions-via-malware.html

http://threatpost.com/carbanak-ring-steals-1-billion-from-banks/111054

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2015/02/Carbanak_APT_eng.pdf

http://securityaffairs.co/wordpress/33565/cyber-crime/carbanak-swipes-300m-banks.html

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.