• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Carbanak gang makes the headlines again, hackers refined intrusion tactics

Carbanak gang makes the headlines again, hackers refined intrusion tactics

Pierluigi Paganini May 04, 2017

The notorious cyber crime gang Carbanak is back and it is continuing to refine its techniques and tactics and developed new tools for its attacks.

The cyber crime gang Carbanak continues to refine its techniques and tactics. According to a new analysis conducted by the security firm Trustwave,  the group has refined its intrusion strategy and developed new tools for its arsenal.

The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen at least $300 million from 100 financial institutions.

In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.

In November last year, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January, the Carbanak gang started using Google services for command and control (C&C) communication.

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

Back to the present, researchers at Trustwave observed the group using new social engineering techniques. The hackers are sending a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call after 30 minutes.

The actors claim that the sender faced problems with the online ordering system, or that the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants.

“This social engineering scam is augmented with a personal phone call from the attacker, encouraging the intended victim to open the email attachment and click inside it. The attacker then calls back 30 minutes later to check if the document was opened and hangs up as soon as the employee says yes.” reads the analysis from Trustwave.

The researchers analyzed one of the infected RTF documents used by the hackers that dropped two VBS and one PS1 file onto the targeted system. The malware gain persistence by using scheduled task to run the main malware file every 25 minutes.

The researchers also observed the C&C malware creator script dropping additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.

The experts discovered that the INI file was used to issue commands to the compromised machine and to reflect the status of previous commands.

“The INI processing script parses and processes the contents of the INI file, providing the following commands:”

  • Screenshot (save screenshot as screenshot.png)
  • Runvbs
  • Runexe
  • Runps
  • Update
  • Delete

Below the information sent by the malware back to the C&C:

  • OS Name, Version,   Service Pack,   OS Manufacturer,   Windows Directory,   Locale
  • Available Physical Memory, Total Virtual Memory,   Available Virtual Memory
  • OS Name, System Name,   System Manufacturer,   System Model,   Time Zone
  • Total Physical Memory, Processor System Type,   Processor,   BIOS Version
  • Microsoft Office Apps, Computer name,   Domain,   User name

The attackers no longer used user accounts and passwords for lateral movement. Instead, the malware would bypass authentication on the remote system and use SMB commands to locate vulnerable hosts and compromise them.

Unlike previous campaigns, where Carbanak hackers leveraged Mimikatz or some other credential stealer for lateral movement, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host.

“Instead, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host by checking the ability to write data to the C:\Windows\Temp folder on a potential victim system.” reads the analysis.

Trustwave also reported that the Carbanak malware authors used several techniques to hide the activity of the malicious code.

Below a list of useful suggestions provided by Trustwave experts to organizations that need to protect their systems from Carbanak attacks.

  • Regular security awareness training for all employees, paying particular attention to spear phishing.
  • Spear phishing exercises where employees are sent a ‘phishing’ email that points to a site controlled by IT (Trustwave SpiderLabs also offers this service).
  • An email server or appliance that can assist with malware detection, such as scanning incoming email attachments for base64 strings.
  • Macros disabled by default on all Office applications (although a user can still re-enable them).
  • A SIEM or other log-and-event aggregation system that allows aggregated network traffic to be examined by an expert security team before, during, and after an attack.
  • Ensuring that IDS rules are able to detect metasploit modules.
  • Threat intelligence driven software restriction policies, such as preventing program execution from C:\Windows\Temp.
  • Whitelist PowerShell scripts and VBS scripts used by the organization and blacklist all others.
  • Continuous DNS monitoring with threshold alerts for systems issuing excessive DNS queries in a given period of time.
  • Restrict DNS traffic so that internal systems are only able to query your DNS servers.
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs –  cybercrime, Carbanak cybergang)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

bank Carbanak cybergang Cybercrime Hacking malware

you might also like

Pierluigi Paganini July 12, 2025
McDonald’s job app exposes data of 64 Million applicants
Read more
Pierluigi Paganini July 11, 2025
U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Uncategorized / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

    Hacking / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT