Pierluigi Paganini May 25, 2015

A security researcher at Trend Micro discovered that the malware used by the Carbanak cybergang is using a C&C server linked to the Russian FSB.

Maxim Goncharov, security expert at Trend Micro, revealed that one of the most sophisticated malware used by the popular gang Carbanak is now pointing to Russia’s Federal Security Service (FSB).

The Carbanak Cybergang is the criminal gang that swiped over $1 Billion from banks worldwide, the experts discovered that the hackers hit more than 100 institutions in 30 countries, the attacks started in 2013 and may still be ongoing.

Goncharov discovered that the Carbanak trojan’s command and control servers are now pointing to the FSB. A few days ago, I received the same information from the malware researcher at RedSocks Niels Groeneveld that also noticed the thing.

There are several plausible explanations for this, one of them is that malware authors wanted to mock the Russian secret services.

“Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 213.24.76.23. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.” Goncharov reveals in a blog post. “I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service.” “It is also possible that the owner of the domain had done this as a prank.”

The attack technique adopted by the Carbanak cybergang is composed of the following phases:

• The attackers used malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.
• In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once they had infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of the victims’ screens and studied their daily activities in the bank.
• In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Experts at Kaspersky that discovered the Carbanak cybergang described the campaign as probably the “most sophisticated attack the world has seen”, due to its very low profile and high impact.

If the campaign was state sponsored, would it be possible that the redirection of C&C domain to the FSB website, is a red herring meant to distract attention from a possible involvement of the Russian Government?

Goncharov promised to update us on its investigation.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – Carbanak Gang, cybercrime)