• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Cyber Crime
  • Malware
  • Why Carbanak C&C points to Russia Federal Security Service?

Why Carbanak C&C points to Russia Federal Security Service?

Pierluigi Paganini May 25, 2015

A security researcher at Trend Micro discovered that the malware used by the Carbanak cybergang is using a C&C server linked to the Russian FSB.

Maxim Goncharov, security expert at Trend Micro, revealed that one of the most sophisticated malware used by the popular gang Carbanak is now pointing to Russia’s Federal Security Service (FSB).

The Carbanak Cybergang is the criminal gang that swiped over $1 Billion from banks worldwide, the experts discovered that the hackers hit more than 100 institutions in 30 countries, the attacks started in 2013 and may still be ongoing.

Goncharov discovered that the Carbanak trojan’s command and control servers are now pointing to the FSB. A few days ago, I received the same information from the malware researcher at RedSocks Niels Groeneveld that also noticed the thing.

There are several plausible explanations for this, one of them is that malware authors wanted to mock the Russian secret services.

Carbanak cybergang NYT

 

“Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 213.24.76.23. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.” Goncharov reveals in a blog post. “I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service.” “It is also possible that the owner of the domain had done this as a prank.”

carabanak C2

carbanak 23

The attack technique adopted by the Carbanak cybergang is composed of the following phases:

  • The attackers used malicious code to find the employees who were in charge of cash transfer systems or ATMs and to gather information on the internal systems of the banks.
  • In a second phase of the attacks, the hackers installed a remote access tool (RAT) on the machines of those employees. Once they had infected the computers of the personnel in charge of cash transfer systems or ATMs, the attackers collected snapshots of the victims’ screens and studied their daily activities in the bank.
  • In the last phase of the attack, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Experts at Kaspersky that discovered the Carbanak cybergang described the campaign as probably the “most sophisticated attack the world has seen”, due to its very low profile and high impact.

If the campaign was state sponsored, would it be possible that the redirection of C&C domain to the FSB website, is a red herring meant to distract attention from a possible involvement of the Russian Government?

Goncharov promised to update us on its investigation.

Stay Tuned …

Pierluigi Paganini

(Security Affairs – Carbanak Gang, cybercrime)


facebook linkedin twitter

Carbanak Gang Cybercrime FSB malware Russia's Federal Security Service Trend Micro

you might also like

Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more
Pierluigi Paganini July 25, 2025
Operation CargoTalon targets Russia’s aerospace with EAGLET malware,
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    Mitel patches critical MiVoice MX-ONE Auth bypass flaw

    Security / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT