Carbanak Group targets entities in Middle East and US with new TTPs

Proofpoint has collected evidence of new Carbanak group campaigns.The hackers are targeting banks in the Middle East, the United States and other countries.

Security researchers at Proofpoint firm sustain to have collected evidence of new Carbanak group campaigns. This time the hackers are targeting banks in the Middle East, the United States and other countries.

Last year, Kaspersky investigated a number of cyber attacks on 29 Russian organizations, the researchers believe that these attacks have been coordinated by Carbanak and two other criminal gangs dubbed “Metel” and “GCMAN,” that adopted similar hacking techniques.

In September 2015, security experts at CSIS discovered that the Carbanak malware was still being used in spear phishing attacks against major organizations in UE and Europe.

“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” wrote the CSIS in a blog post published by the CSIS.

“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”

Last month, Experts at Kaspersky Lab discovered that Carbanak cybergang is back and other groups are adopting similar APT-style techniques to steal money.

The new Carbanak trojan was relying on predefined IP addresses instead of domains and in order to improve the evasion capability its code was signed with a digital certificate issued by Comodo to a Russia-based wholesale company.

Kaspersky confirmed that the Carbanak gang (also called Carbanak 2.0 by Kaspersky) was behind the attacks spotted by CSIS and revealed that the group is now targeting also the budgeting and accounting departments of various types of organizations, a including financial institution, and a telecoms company.

The group that targeted a Russian bank used a strain of malware known as Metel (aka Corkow) to compromise banks’ networks via spear-phishing emails.

This week, researchers at Proofpoint revealed to have spotted new campaigns targeting Middle Eastern countries, including United Arab Emirates, Kuwait, Lebanon and Yemen. The new campaign it targeting high-level executives and , directors, and operations managers at banks and enterprise software firms

The Carbanak Group seems to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, companies selling enterprise software, and professional services companies.

The hackers launched spear phishing attacks against victims, the email messages contain a URL that points to a malicious document designed to trigger an old Office vulnerability (CVE-2015-2545) to serve a malware downloader used to drop the Carbanak payload, aka Spy.Sekur.

In other cases, the attackers of the Carbanak Group have sent malicious emails containing links to the Java-based remote access Trojan jRAT.

” Recently, we detected Carbanak campaigns attempting to:

• Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
• Spear-phishing emails delivering URLs, macro documents, exploit documents
• Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.” states the report published by Proofpoint.

Experts also analyzed another campaign targeting employees of US- and Europe-based companies in the financial industry, mass media, and other seemingly unrelated targets in fire, safety, air conditioning and heating. .

“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe”

In this second campaign, hackers leveraged on emails containing Word documents which embedded malicious macros.

“Unlike the March 1st campaign, which contained links to exploit documents, this campaign employed documents attached to email messages. The two observed documents “remitter request_2016-03-05-122839.doc” and “Reverse debit posted in Error 040316.doc” use macros to download the final Spy.Sekur payload from hxxp://154.16.138[.]74/sexit.exe” states the report.

The analysis of the information gathered during the investigation allowed the experts to discover most attacks targeted organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.

The researchers have uncovered links between Carbanak activity and other threats such as Cybergate, DarkComet and the MorphineRAT.

This last wave of attacks is very interesting because the group used new exploits, macro documents, and RATs to compromise non-Russian targets. The group is also expanding the scope of the attacks targeting companies and organizations in a various industries.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Carbanak group, hacking)

[adrotate banner=”13″]