Card Not Present Fraud , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Sophisticated Carbanak Banking Malware Returns, With Upgrades

Emerging Shifu Malware Also Spotted Targeting Japan
Sophisticated Carbanak Banking Malware Returns, With Upgrades

The gang behind the Carbanak banking malware, which was tied to at least $1 billion in fraud from 2012 to 2014, appears to be back, wielding new tactics.

See Also: OnDemand | Payments Without Borders: Prevent Fraud and Improve the Customer Experience

Recently, four new variants of Carbanak have been used to target victims in the United States and Europe via spear-phishing attacks, warns Denmark-based CSIS Security Group (see Cybercrime Gang: Fraud Estimates Hit $1 Billion). CSIS says the attacks mark a resurgence of activity from the cybercrime gang, which experts say went quiet after their attack campaigns were described by three different security firms, beginning in December 2014.

Separately, security experts have also spotted a new malware family or variant, dubbed Shifu, that has been tied to attacks against Japanese financial firms. But researchers warn that this malware is already designed to target multiple electronic banking platforms used throughout Europe and could easily be adapted to spread to other parts of the world.

Carbanak Goes Spear Phishing

On the Carbanak front, Peter Kruse, a partner and electronic crime specialist at CSIS, says in a blog post that the Danish security firm spotted the four new variants of the malware at the end of August. "From our analysis, it becomes clear that Carbanak has returned and has been confirmed [to be] targeting large corporations in Europe and in the USA. Attack methods are spear phishing," he writes.

As the use of spear-phishing attacks suggests, Kruse says the variants that CSIS recovered had been used in highly targeted attacks, in this case aimed at stealing banking credentials from businesses. "We have observed at least four different new variants of Carbanak targeting key financial [personnel] in large international corporations."

The attackers, Kruse tells Information Security Media Group, have been "using a .doc attachment exploiting new and older vulnerabilities related to Windows and third-party products." Citing confidentiality agreements between CSIS and its customers, Kruse declined to comment on whether the attacks were successful or precisely where the targets were located.

Back in February, security firm Kaspersky Lab tied the multinational gang behind Carbanak - operating from Russia, Ukraine and China - to a diverse string of malware attacks that compromised everything from ATMs and money-transfer services to retail point-of-sale systems. From 2012 to 2014, the gang stole an estimated $1 billion from as many as 100 banks in up to 30 countries, including the United States, according to the Kaspersky report (see New Details About $1 Billion Crime Ring).

Cybersecurity firms Group-IB and Fox-IT, which referred to that gang as Anunak in a December 2014 report, say the group's core hackers appear to have been the developers behind the Carberp banking Trojan, which emerged in 2010 and has gone through multiple upgrades (see Russian Ring Blamed for Retail Breaches). Earlier this year, Fox-IT and Group-IB reported that from December 2014 through this past February, they had seen a decrease in activity tied to the Carbanak/Anunak gang.

Carbanak Gang Changes Tactics

But the Carbanak gang appears to have returned with a change in tactics, since the group did not previously appear to be using phishing attacks.

"Yes, their tactics seem to have changed," Kruse says. "Their focus is now on bank customers and primarily medium and large companies. The selected targets are hit by spear-phishing attacks." Kruse says the new malware variants also sport some notable upgrades.

One of the Carbanak variants uses a command-and-control server that is hosted by a well-known bulletproof hosting service, Kruse says (see Hacker Havens: The Rise of Bulletproof Hosting Environments).

In addition, while the Carbanak gang has previously signed its malware with stolen digital certificates - to make their attacks more effective - one of the new variants is signed using a legitimate digital certificate issued by certificate authority Comodo, Kruse says. The certificate has been issued in the name of a real, Moscow-based company called Blik, he adds. Kruse contends this is the single most interesting way in which the Carbanak gang has and its malware attacks have evolved since the beginning of the year.

"We speculate that the main purpose of this company is to receive money from fraudulent transactions," he says. "As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process."

Shifu Trojan Targets Japan

In other banking malware news, IBM is warning that it has spotted a new banking Trojan that it calls "Shifu" - after the Japanese word for thief - which appears to have been employed in in-the-wild attacks since April.

"Shifu currently targets 14 Japanese banks and select electronic banking platforms used across Europe; however, at this time, only Japan is seeing active attacks," Limor Kessem, an information security researcher at IBM Trusteer, says in a blog post. The malware also appears to be designed to target two electronic banking platforms used in Austria and Germany, and one platform used across Europe, including in Russia.

Kessem says the malware - and its add-on modules - have been built, in part, by reusing leaked source code for other banking Trojans, including Dridex, Gozi, Shiz and Zeus.

But there is some debate among security researchers as to whether the attack code is a new, stand-alone malware family or an upgrade of a previously existing one. "We have not yet confirmed whether Shifu represents a new variant - bearing in mind that the malware reportedly integrates features from multiple types of existing malware - or simply a modified version of existing malware tailored to target electronic banking platforms and Japanese financial institutions," says threat intelligence firm iSight Partners in a research note.

Targets: Credentials, POS Endpoints, Cryptocurrency

Shifu uses a self-signed digital certificate and also secures infected systems using an "anti-virus-type feature" that appears to be designed to keep competing malware from infecting the machine, IBM says. The malware also relays all copies of those suspicious files to the botnet controllers, via the command-and-control servers, likely for further analysis, according to IBM.

The malware then makes a grab for anything that might lead to a payoff for attackers, ranging from online banking credentials, to cryptocurrency wallets, to point-of-sale configuration information, IBM says.

Security experts warn that attackers who wield malware that targets Japanese financial services firms could easily adapt the attack code to target new geographies. "Malware operators often expand their targeting, both geographically and by victim type, after successful operations, which means successful use of this malware would likely result in the operators broadening their scope," iSight Partners says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.