CARBANAK
The Carbanak group is a criminal advanced persistent threat group whose attacks against dozens (potentially hundreds) of global financial institutions resulted in an estimated $1 billion in losses in the first half of 2014. Depending on the victim, the attacks are believed to have begun between December 2013 and June 2014. According to Kaspersky Labs, each victim bank lost $2.5 million to $10 million to the campaign. The victim financial institutions were located in Russia, the United States, Germany, China and Ukraine; additionally, the group may also have begun targeting organizations in Malaysia, Nepal, and Kuwait. The vast majority of victims (at least 52) are located in Russia. Overall, the group targeted at least 100 financial organizations at 300 IP addresses located in approximately 30 countries. Of the ~100 organizations targeted, Kaspersky believes that at least half suffered financial loss.
The Carbanak group is particularly significant because it demonstrates how the dangerous escalation of sophisticated cyber exploit kits, perpetuated by state sponsored groups and government agencies, has guided the development of complex and demonstratively effective criminal platforms that can financially harm private organizations and individuals alike. Consider that the Carbanak group stole an estimated $1 billion in less than 6 months. The loss to the global financial institutions, though meager compared to the entire global economy, can still lead to cascading global economic impacts within and outside the victim organizations.
Like most APT groups, Carbanak attacks began with a spear phishing campaign. The malicious emails appeared as legitimate banking communique accompanied by attached Microsoft Word (97-2003) documents and Control Panel Applet (.CPL) files. The attachments infected victim systems with malware and with a backdoor based on the Carberp malware. It is also possible that some of the emails contained urls that redirected the victim to a landing page that delivered the malware in the background before forwarding the user to a familiar financial site. Analyzed malicious attachments reveal that the attackers exploited vulnerabilities in Microsoft Word 2003, 2007, and 2010 (CVE-2012-0158, and CVE-2014-1761). After successful exploitation of a vulnerability, the shellcode decrypts and the Carbanak backdoor is installed on the victim host. The Carbanak backdoor installs and then it re-installs itself into “%system32%com” as a copy of “svhost.exe” with the system, hidden, and read-only attributes. The initial version (delivered by the exploit) is then deleted. After installation, the backdoor connects to its C2 server through HTTP (with RC2+Base64 encryption) and downloads a file (kldconfig.plug) which details which process to monitor. The kit sets the Termservice service execution mode to auto to enable Remote Desktop Protocol (RDP). The backdoor provided access to the intranet of the victim organization. Next, the adversary probed the intranet for other vulnerable targets and specifically for critical financial systems. Typically, tens to hundreds of computers were infected before an admin system, with the necessary access, was compromised. If banking applications such as BLIZKO or IFOBS are discovered, then a special notification is sent to the C2 server to notify the adversary that financial systems were discovered.
Once the attackers discovered financial systems on the victim network, they deployed keyloggers, tools to hijack video capture, and screen capture tools to learn as much information as possible about the environment. The Carbanak tool kit typically logs keystrokes and takes screenshots every 20 seconds. The monitoring occurs by intercepting the ResumeThread call. The captured videos are recorded at low bandwidth and are used to help the attackers develop an operational picture of typical workflow, tool usage, and practices. In addition to training the adversary to transfer money, the monitoring also reduces the likelihood that the adversary will set off behavioral analytic systems. The remote administration tool, Ammyy Admin, might also be installed on victim systems to ease remote access (the tool is whitelisted by legitimate system administrators in some corporate environments).
Attackers studied the financial tools and applications installed on the victim hosts in order to maximize the potential gain from the compromised system. Rather than searching for exploits and flaws in the security and financial applications, the adversary meticulously recorded the activity of administrators in order to learn the necessary information and procedures to transfer money. Files on captured C2 servers indicate that the adversary may also exfiltrate classified emails, manuals, cryptographic keys, and other information. When the adversary knew the necessary information and knew how to use the most powerful host applications, they would withdraw or transfer significant sums. The method of withdraw or transfer depended on the system, situation, and available resources (time, people, etc.). Observed methods of stealing cash include fraudulent online banking transfers, electronic cash transfers to banks in China and the United States, SWIFT transfers to compromised bank accounts, and remote commands to ATMs to spew cash onto the street at a specific date and time. In the instances where physical interaction with an ATM or bank personnel was necessary, the group would pay individuals to act as “mules” in the cash transfer.
The command and control infrastructure rotates every few weeks. It consists of Linux servers to issue commands, Windows servers used for remote connections, backup servers, and drop servers containing executables and additional components. Victim systems are catalogued in server logs according to the adversary’s categorization.
Type: Cyber Criminal/ Cyber Mercenary
Status: Active
Other Names: Carbon Spider/ Anunak/ Operation Odinaff
Active Since/Discovered: 2013/2014
Targets: Financial institutions (banks) in: Russia, USA, Germany, China, Ukraine, Canada, Taiwan, Hong-Kong, United Kingdom, Spain, Norway, India, France, Poland, Pakistan, Nepal, Morocco, The Czech Republic, Switzerland, Bulgaria, Australia, Iceland, Brazil
Target Sectors: Financial
Malware:
- Carbanak – Remote backdoor and keylogger
- HTTP C2 with RC2 and Base64 encrypted payload
- installs itself as a service to provide persistence and SYSTEM privileges
- installs VNC server software that executes through rundll32
- names itself “svchost.exe,” which is the name of the Windows shared service host program
- Mimikatz – credential dumper
- MBR Eraser
- SoftPerfect Network Scanner
- Ammy Admin
- Netscan – scripting utility used to interact with networking components on local or remote systems
- Used to add Firewall exceptions
- PsExec – free Microsoft tool that can be used to execute a program on another computer
- Backdoor Batel
Preferred Attack Vector: Social Engineering, watering-hole and Exploits
IoCs:
- SSHd with BackDoor
- CVE-2012-2539
- CVE-2012-0158
- CVE-2016-0189
- Malware checks for banking processes and applications at install
Unique:
- Arguably the first financially motivated cyber-criminal APT
- Financially motivated
- From August 2015 to February 2016, it managed to conduct 13 successful attacks against Russian banks and defrauded them of a total of 1.8 billion rubles (US$25.7M)
- uses legitimate banking credentials
- Targeted institutions directly; did not target end users
- Conducts extensive survelliance including actively watching infected systems in order to learn how to properly use financial applications
- May be a multinational gang from Russia, Ukraine, China, and other parts of Europe