{"id":15100,"date":"2015-09-18T15:23:56","date_gmt":"2015-09-18T15:23:56","guid":{"rendered":"https:\/\/kasperskydaily.com\/b2b\/?p=4539"},"modified":"2020-02-26T18:55:56","modified_gmt":"2020-02-26T16:55:56","slug":"carbanak-evolved-new-versions-are-detected","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.za\/blog\/carbanak-evolved-new-versions-are-detected\/15100\/","title":{"rendered":"Carbanak evolved: new versions are detected"},"content":{"rendered":"

New variants of \u00a0the \u201clegendary\u201d banking Trojan Carbanak are making the rounds on\u00a0the Web, so far noticed in Europe and the United States. Now it has a \u201cproprietary communications protocol\u201d, and the samples seen so far have been digitally signed, Threatpost reported <\/a>earlier this month.<\/p>\n

Great robbery<\/strong><\/p>\n

Upon\u00a0its discovery earlier this year, Carbanak had been dubbed the first ever purely criminal APT. It was (and is) an ultra-massive money-stealing campaign directly targeting banks. Total losses amounted to $1 billion in February. And if we assume that the campaign is still active, the losses may be considerably larger.<\/p>\n

By far it is the most successful criminal cyber campaign we have seen.<\/p>\n

Carbanak evolved: new versions are detected #CarbanakAPT<\/p>Tweet<\/a><\/blockquote>\n

Detailed descriptions of the campaign are available in our February post<\/a> and on Securelist<\/a>. For now, we\u2019ve updated a couple of details:<\/p>\n

1. Carbanak targets banks directly; bank workers are \u201cserved\u201d with phishing emails, consequently a backdoor is installed; attackers then search for \u201crelevant\u201d computers, such as those of administrators, to compromise and extract money.<\/p>\n

2. Manual action is also present. Attackers explored the banks infrastructure; employed \u201cmoney mules\u201d to collect cash from the compromised ATMs (mules weren\u2019t required to interact with the ATMs themselves, just to come at the right time).<\/p>\n

All in all, according to Sergey Golovanov, Principal Security Researcher at Kaspersky Lab\u2019s Global Research and Analysis Team, \u201cThe attackers didn\u2019t even need to hack into the banks\u2019 services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery\u201d.<\/p>\n

New menace<\/strong><\/p>\n

New versions of Carbanak, discovered recently, are said to have some unique characteristics. The malware injects itself into the svchost.exe process as a way to hide itself; however the folder in which Carbanak installs itself and the filename it uses are both static.<\/p>\n

#CarbanakAPT\u00a0is the most successful criminal cyber campaign we have seen. No surprises, it evolves.<\/p>Tweet<\/a><\/blockquote>\n

Carbanak also utilizes plugins, those are installed via Carbanak\u2019s own protocol. They are then communicated with a hardcoded IP address.<\/p>\n

The isolated signatures were issued from Comodo to a company in Moscow, Russia.<\/p>\n

A proprietary protocol?<\/strong><\/p>\n

Carbanak\u2019s own communication protocol is a head-turner, but it\u2019s well in line with the current trends of malware development. Everything that works evolves further. And Carbanak definitely worked well enough to keep it in active development.<\/p>\n

A few general safety recommendations:<\/p>\n