Carbanak malware returned in ransomware attacks

Pierluigi Paganini December 26, 2023

Researchers at NCC Group reported that in November they observed the return of the infamous banking malware Carbanak in ransomware attacks.

The cybersecurity firm NCC Group reported that in November the banking malware Carbanak was observed in ransomware attacks.

The Carbanak gang was first discovered by Kaspersky Lab in 2015, the group has stolen at least $300 million from 100 financial institutions.

The Carbanak malware has been active since at least 2014 and has been used by ransomware gangs to infiltrate financial systems. The threat actors used sophisticated phishing techniques against bank employees. The malware was used to gain initial access to the target networks through human-operated activity and take control of payment processing services.

“Carbanak’s popularity had fallen until November, but last month’s use of the malware returned, having evolved over recent years. The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.” reads the report published by NCC Group. “Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software. Imposters in November included the CRM platform HubSpot, data management software Veeam, and account tool Xero.”

The experts observed a new attack chain adopted by the Carbanak threat actor. The malware has been distributed through compromised websites that impersonate various business-related software, including HubSpot, Veeam, and the account tool Xero.

NCC Group reported that the ransomware attacks in November rose 67% from 2022, while the number of ransomware infections increased by up to 30% from October.

The most targeted sectors are Industrials (33%), Consumer Cyclicals (18%), and Healthcare (11%). The top targeted regions are North America (50%), Europe (30%), and Asia (10%). In November, the LockBit ransomware gang was the most active threat actor.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

you might also like

leave a comment