Recently, I was listening to the podcast “Darknet Diaries,” and they had an episode on a malware campaign called Carbanak that primarily attacked banks. This attack was incredibly intriguing to me because of how organized the campaign was. I almost expected it to be an advertisement for another Oceans movie. Carbanak used tactics that seem like an organized crime unit would employ on robbing a bank. In this installation of Malware Minute, I hope to explain Carbanak and keep this post at a minute or two read.
Carbanak was a campaign targeting bank in which the adversary would remove roughly 2.5 to 10 million dollars before abandoning their victims (Kaspersky, n.d.). This malware was not advanced; it did not use any zero-day exploits or any new information. It simply used already existing patched vulnerabilities on machines that had not already installed updates to patch the vulnerabilities.
A zero-day exploit is a vulnerability that has been discovered and exploited on the same day vulnerability was discovered. On day zero a patch has not been developed, and malicious actors have a new hole to explore.
The Carbanak gang responsible for the malware targeted their victims using spear phishing emails, which is a targeted email using social engineering practices to convince someone to click on a link (Trend Micro, 2019). When the users clicked on the link in the email, it downloads a malicious file that creates a backdoor on the computer system. Once the backdoor was created, the Carbanak malware would run various commands like keystroke logging, taking screenshots and checking the software running on the machine (Trend Mircro, 2019). The attackers wanted to move around the network without being detected and attempted to familiarize themselves with the normal workflow of the victims. The attackers would move laterally through the network through remote administration tools, once the systems they were targeting were breached they would record the victims and familiarize themselves with normal workflow and use the information gathered to manipulate bank records and transfer funds (Trend Mirco, 2019).
Once the attackers gained access to the network, they were able to transfer money at will. They would hire mules to come to the bank at specific intervals and release thousands of dollars of cash, and the mules would take it and leave. Other times they would have the mules set up bank accounts and have strange amounts of money in the bank account, such as $3.33, then run an update query to transfer millions of dollars into their bank accounts and the henchmen would transfer it over the SWIFT network to the criminals’ accounts.
Kaspersky Labs points out that the initial target was Russian banks, but as time went on more countries became targets, including the United States (Kaspersky Labs, n.d.). In March 2018 the leader of the gang was arrested in Spain, but the attacks are persisting and evolving.
This attack is proof of the importance of updating software. The machines that were compromised in 2016 could have been prevented if the banks had updated the software to patch vulnerabilities found and fixed by Microsoft in 2012 (Trend Micro, 2019). Phishing emails were also used to infect the network initially; proper social engineering training is crucial to prevent this type of attack, employees should know not to open suspicious emails, and to check the email addresses to ensure they are the correct domain.
Carbanak APT. (n.d.). Kaspersky Lab. Retrieved on April 3, 2019 from https://usa.kaspersky.com/resource-center/threats/carbanak-apt
Carbanak Threat Details and protection using Trend Micro Products. (2019). Trend Mirco. Retrieved on April 3, 2019 from https://success.trendmicro.com/solution/1107858-carbanak-threat-details-and-protection-using-trend-micro-products#