Carbanak trojan reloaded! A new variant spotted in the wild

The CSIS Security Group has spotted a new version of the notorious Carbanak Trojan in the wild targeting financial organizations in Europe and US.

Do you remember the Carbanak gang? In February, researchers from Kaspersky discovered that a multinational gang of hackers dubbed Carbanak that swiped 1 Billion dollars from 100 financial institutions across 30 countries, most of the victims were located in Russia, US, Germany, China and Ukraine.

Last week the CSIS Security Group discovered that the Carbanak malware is still being used in spear phishing attacks against major organizations in UE and Europe.

“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” states a blog post published by the CSIS.

“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”

The experts noticed that binaries used by the recently discovered Carbanak instance are similar to the previous versions, apart for a number of improvement. The new binaries use mutexes and random files, meanwhile the communication with the C&C server relies on a proprietary protocol.

“We have observed at least four different new variants of Carbanak targeting key financial personnel in large international corporations.”

The new Carbanak trojan relies on predefined IP addresses instead of domains, in order to improve the evasion capability, its code is signed with a digital certificate issued by Comodo to a Russia-based wholesale company.

One of the new samples analyzed by the researchers was communicating with a C&C server hosted on a bulletproof hosting company.

The CSIS reported the following list of differences between these new variants and the previously observed Carbanak:
–    new geographical targets
–    a new proprietary protocol
–    the use of random files (i. e. main component is static) and mutexes
–    predefined IP address (previous variants were using domains)

The experts at CSIS defined the Carbanak gang a financial APT due to the targeted attacks it carried out.

Pierluigi Paganini

(Security Affairs – malware, Carbanak cybergang)