'Covert' APT Attacks Pose New WorriesKaspersky Lab Says Carbanak 2.0, Other Attacks Evade Detection
The banking malware known as Carbanak continues to evolve, and it's now being used for advanced persistent attacks against banks and companies in other sectors, according to security researchers at Kaspersky Lab.
See Also: DevSecOps Community Survey 2019
Carbanak 2.0 is Kaspersky's name for the latest version of the malware, which between 2012 and 2014 was reportedly used to help steal $1 billion from banks around the world (see Cybercrime Gang: Fraud Estimates Hit $1B).
Banks and other businesses worldwide should be carefully scanning their networks for the presence of the malware and unusual traffic or activity, says Sergey Golovanov, principal security researcher at security and threat analysis firm Kaspersky Lab.
"Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks," he says. "The Carbanak gang was just the first of many. Cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: That's where the money is."
New, Advanced Threats
On Feb. 8, Kaspersky Lab reported that the gang behind Carbanak 2.0 and groups behind other emerging malware threats, such as Metel and GCMAN, appear to be using some of the same types of attack methods.
So far, attacks linked to Carbanak 2.0, Metel and GCMAN have only been seen in Russia, Kaspersky notes.
"This evolution demonstrates a worrying trend of cybercriminals aggressively embracing APT-style attacks to target a wide variety of victims and industries," Golovanov says. "Carbanak 2.0 also has a different victim profile, moving beyond banks to target budgeting and accounting departments using the same APT-style tools and techniques."
These new attacks use "covert APT-style reconnaissance and customized malware," Kaspersky Lab notes, "along with legitimate software and new, innovative schemes to cash out."
The Metel attacks, for example, enable hackers to assume control of ATMs and "rollback" fraudulent transactions to evade detection.
"The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken," Kaspersky Lab notes. "In the examples observed to date, the criminal group steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. In the space of just one night, they manage to cash out."
Spear-phishing emails with malicious attachments sent to bank employees were used to infect the systems, Kaspersky Lab says. "Once inside the network, the cybercriminals use legitimate and pen-testing tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank's employees responsible for payment-card processing."
And the GCMAN attacks are even more concerning because they do not always involve malware, the firm adds. "Sometimes [the GCMAN gang] can successfully attack an organization without the use of any malware, running legitimate pen-testing tools only," the firm says. "In the cases Kaspersky Lab experts have investigated, we saw GCMAN using Putty, VNC and Meterpreter utilities to move laterally through the network until the attackers reached a machine which could be used to transfer money to e-currency services without alerting other banking systems."
In one case, Kaspersky Lab found that attackers linked to GCMAN were in the network for a year and a half before they actually transferred any funds. What's more, the fraudulent transaction orders flew under the radar because they did not show up anywhere in the bank's internal systems, the researchers point out.
Carbanak attacks disappeared for a short period after February 2015, when they were first reported. In September, however, attacks waged by the same threat actors started to resurface (see Sophisticated Carbanak Banking Malware Returns, With Upgrades).
Peter Kruse, a partner and security specialist at CSIS Security Group, noted in a Sept. 2 blog that four new variants of Carbanak malware had surfaced in the wild at the end of August. "From our analysis, it becomes clear that Carbanak has returned and has been confirmed [to be] targeting large corporations in Europe and in the USA," he wrote.
A year ago, Kaspersky Lab reported that Carbanak, also known as Anunak, had been used to wage ATM jackpotting attacks against leading banks in Russia, the United States and other parts of the world and noted that these attacks contributed greatly to the $1 billion that had been stolen between 2012 and 2014.
What was especially concerning about the Carbanak attacks waged against ATMs is that the malware wasn't found until after banks noticed the money was gone.
This year, Golovanov says the same Carbanak gang is back - with more muscle.
"Cybercriminals are quickly learning how to use APT techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly," he says.
Mitigating the Threats
Owen Wild, a financial services director at ATM manufacturer NCR Corp., says as cybercrime evolves, it becomes more difficult to mitigate the threats.
"In general, we continue to see better sophistication in the criminal environment," he says. "They are better networked and linked together. And there are always increasing challenges with the extent of prosecutions. As in many areas of crime, when one link is taken out, others emerge to replace them."
Wild says banks face a wide range of risk from threats to their internal networks, data centers and transaction endpoints, including ATMs, online banking and mobile banking. "The threats continue at a dramatic pace, and we work closely with our financial institution partners to help them in deployment of endpoint solutions, fraud detection platforms and digital applications to ensure the most secure transaction possible."