Go to listing page

Carbanak: Insights Into the Billion Dollar Bank Security Threat

Carbanak: Insights Into the Billion Dollar Bank Security Threat

Share Blog Post

Threat Actor Profile


Origin: 2014.

Aliases: Anunak, Carbon Spider

Key Target Sectors: Manufacturing, Retail Services, Energy and Power, Hotel and Resorts, Information Technology, Financial Services, communication, Government and Military

Attack Vectors: Phishing, Spear Phishing, Spam email, Social Engineering, Unauthorized Access

Target Region: South America, South-East Asia, Eastern Asia, Western Europe, Western Asia, North America, Africa 

Malware Used: Carbanak Malware, Odinaff, Lazagne, Meterpreter, Tiny Meterpreter, ATMitch, Halfbaked

Vulnerabilities Exploited: CVE-2014-1761, CVE-2013-3906, CVE-2012-0158

Tools Used: Mimikatz Tool, Netsh, PsExec

Overview


Carbanak is a highly active cyber-criminal threat group, that is known for primarily targeting financial organizations like banks. The group is said to have stolen over 1 billion US dollars from over 100 banks and their private customers across the globe. It was first discovered in 2014 by the Russian/UK Cyber Crime security firm Kaspersky Lab. It is also known for using a backdoor malware with the same name "Carbanak." Some of its espionage activities indicate overlap with another adversary group dubbed FIN7, but experts believe that these are two different groups using the same Carbanak malware and are therefore tracked separately.

Which organizations have they targeted?


The first known samples of Carbanak group's malware were compiled in August 2013 when they started to test the Carbanak malware. The group was able to successfully steal from their first victims during the period of February-April 2014. On an average, each bank robbery took around two to four months, starting from infecting the first computer system at the bank's corporate network to cashing the money out. The peak of their infections was recorded in June 2014. Most of the financial entities targeted by the group were located in Eastern Europe; however, Carbanak also targeted victims in the USA, China, and Germany. One bank lost $7.3 million when its ATMs were programmed to spew cash at certain times that henchmen would then collect, while a separate firm had $10 million taken via its online platform. The group was also seen extending its operations to new areas, including Malaysia, Kuwait, Nepal, and several regions in Africa, among others. Most recently in early-2019, a fileless malware "ATMitch" associated with Carbanak APT was spotted in the wild.

What is their motivation behind the attacks?


The group has a long track record of compromising the infrastructure of financial institutions. Its motive is often manipulation of financial assets, such as transferring funds from bank accounts or taking over ATM infrastructures and commanding them to dispense cash at predetermined time intervals. The cyber-criminals also penetrated the ATM networks to reach to the key people within the organization, to gain information about the ATM systems, as well as the high profile customers of the targeted banks. 

Modus Operandi


The group’s primary technique is to quietly infiltrate into the infrastructure by setting a foothold in an employee’s system, and then moving laterally inside the infrastructure or elevate privileges to search critical systems having desired information. To begin the attack, spear phishing emails are sent to the targeted institutions, which either end up with victims downloading a malicious document (and eventually the Cobalt Strike beacon) or various unpatched Remote Code Execution Vulnerabilities being exploited (Microsoft Word: CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802) to deploy the Carbanak backdoor. When the user opens the attached document, scripts implanted within the files are executed in the background. The attacks use reconnaissance tools to assess the state of the victim’s workstation and ascertain what tools should be downloaded next. It can even open decoy documents to avoid drawing victims’ suspicion.

In some cases, the group targeted Automated Teller Machines (ATMs) using ATMitch (fileless malware), in which the machines were instructed to dispense cash without locally interacting with the terminal. After this is done, the money-mules would collect the money and transfer it over the SWIFT network to the criminals’ accounts. The group also went so far as to alter databases, pumping up balances on already existing accounts, and pocketing the difference unbeknownst to the user whose original balance is still intact.

Known tools and malware


Known zero-day vulnerabilities used by Carbanak APT

  • CVE-2014-1761 (Improper Restriction of Operations within the Bounds of a Memory Buffer) - It allows remote attackers to execute arbitrary code and denial of service (memory corruption) via crafted RTF data.
  • CVE-2013-3906 (Microsoft Graphics Component Memory Corruption Vulnerability) - It allows remote attackers to execute arbitrary code using a crafted TIFF image.
  • CVE-2012-0158 (MSCOMCTL.OCX RCE Vulnerability) - It allows attackers to triggers "system state" corruption.

Note - All the above vulnerabilities have been patched by the respective vendors, and updated versions can be downloaded from their websites.


Malicious programs used by Carbanak APT

  • Carbanak Malware - A backdoor that is delivered to its targets often via spear-phishing emails.
  • Odinaff - A banking trojan that opens a backdoor on the compromised computer.
  • Tiny Meterpreter - An open-source backdoor, delivered through spear-phishing email with a malicious attachment using an RTF-exploit or ".SCR" file.
  • ATMitch - A fileless malware, that allows an attacker to access the ATMs remotely, giving them the ability to dispense chunk of money at any specific time.
  • Halfbaked - A malware family consisting of multiple components, intended to establish persistence in victim networks.

Known Commercial/Open Source Tools used by Carbanak APT
  • Lazagne - An open source application used to retrieve passwords stored on a local computer.
  • Meterpreter - A collection of a wide array of commercial-grade exploits and an extensive exploit development environment.
  • Mimikatz Tool - It is a credential dumper, capable of obtaining plaintext Windows account logins and passwords.
  • Netsh - A scripting utility, which is used to interact with networking components on local or remote systems.
  • PsExec - A command-line tool that can execute processes on remote systems, often used by IT administrators as well as attackers.

Attribution


On March 26, 2018, European Union Agency for Law Enforcement Cooperation (Europol) claimed to have arrested the "mastermind" behind Carbanak group and associated Cobalt or Cobalt Strike group in Alicante, Spain. The investigation was carried over by the Spanish National Police with the cooperation of law enforcement in various countries as well as private cybersecurity organizations. The arrested individual was identified as Denis K., a Ukrainian who had led the organized crime group Carbanak for several malicious acts. Between Jan and June 2018, three Ukrainians, Fedir Hladyr, Dmytro Fedorov, and Andrii Kolpakov, were arrested in Europe. They were accused of targeting more than 100 US companies, including Emerald Queen Hotel and Casino (Washington), Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, Red Robin Gourmet Burgers, and Taco John’s.

Prevention


Carbanak APT’s phishing emails can bypass anti-spam solutions deployed at the mail server level. So to prevent against such advanced threats, traditional anti-malware solutions may not be sufficient and it is recommended to implement an in-depth security model that assures URL filtering, behavior-based detection methods and sandboxing. To detect and prevent the sophisticated tactics of lateral movement of Carbanak APT, an enterprise-level solution is must that looks at both endpoint behavior and network traffic to detect any signs of lateral movements inside networks, and flag them for review by a security analyst. And at the same time, they should also consider sharing of actionable intelligence about the threats, like important hashes (SHA1, MD5, etc.), malicious IP addresses, domains, URLs to ensure timely identification and proactive remediation. Use Mitre’s ATT&CK Navigator to find correlations between the various Indicators of Compromise (IOC), TTPs, and Threat actors across various phases of the Incident Response Lifecycle, and pro-actively detect any signs of compromise, intrusion, or data exfiltration.

Indicators of Compromise


SHA256 (ATMitch)
bf9c35d8f33e2651d619fe22a2d55372dedd0855451d32f952ecfc73fa824092 e372631f96face11e803e812d9a77a25d0a81fa41e4ac362dc8aee5c8a021000

Filename
tester.exe
smrs.exe
Java.exe
94563784.doc
WRF{8F0C5F8E-18A3-48CE-A2F4-2F4DB1B14E94}.tmp
KbhpQIcahFCuZwq.sct
MGsCOxPSNK.txt
cqHfjCkTtMwG.doc
tCrrDqBQoCcEkbnK.txt
9D01CA.txt 
rad353F7.tmp 
Jusched.exe
netscan.exe 
netscan.exe 
Nusb1mon.exe
Psexec.exe
psexesvc.exe 
psexec.exe 
psexesvc.exe 
303F1428C3F.txt
jusched.exe

MD5
341917d17440ee8a334b202eb0378108
D68351f754a508a386c06946c8e79088
d90ecd6c825ce236838112898e1c4a2e
d117c73e353193118a6383c30e42a95f
b8fc470b9665b33d2071034fdfd6629c
bb784d55895db10b67b1b4f1f5b0be16
4bee6ff39103ffe31118260f9b1c4884
c2a9443aac258a60d8cace43e839cf9f
581c2a76b382deedb48d1df077e5bdf1
f0645bd9367faf4e21a9c5e8c132bed7
34a58e62866e5c17db61ee5f95d52c58
38242fb29d7cb82a4ffd651189d9821e
f0e52df398b938bf82d9e71ce754ab34
eb561d46c6283c632df88bd20ade6df4
bbaee5d936a3809f46fd409b8442f753
63c98b8c34ee9261c0068c7f0435a9f9
ddb9553c6e4e4908b5c7fbbdc4795d6c
1e94f1fdf5ace5e57d8b7832ea2da22e
e7aa5608c81ba4fcd8d166501b90fc06
27304b246c7d5b4e149124d5f93c5b01
75b55bb34dac9d02740b9ad6b6820360
a7f7a0f74c8b48f1699858b3b6c11eda
87dfac39f577e5f52f0724455e8832a8
341917d17440ee8a334b202eb0378108
0022c1fe1d6b036de2a08d50ac5446a5
0155738045b331f44d300f4a7d08cf21
0275585c3b871405dd299d458724db3d
0ad4892ead67e65ec3dd4c978fce7d92
0ad6da9e62a2c985156a9c53f8494171
1046652e0aaa682f89068731fa5e8e50
10e0699f20e31e89c3becfd8bf24cb4c
1300432e537e7ba07840adecf38e543b
15a4eb525072642bb43f3c188a7c3504
16cda323189d8eba4248c0a2f5ad0d8f
1713e551b8118e45d6ea3f05ec1be529
1a4635564172393ae9f43eab85652ba5
1b9b9c8db7735f1793f981d0be556d88
1d1ed892f62559c3f8234c287cb3437c
1e127b92f7102fbd7fa5375e4e5c67d1
1e47e12d11580e935878b0ed78d2294f
1f43a8803498482d360befc6dfab4218
1fd4a01932df638a8c761abacffa0207
20f8e962b2b63170b228ccaff51aeb7d
26d6bb7a4e84bec672fc461487344829
2908afb4de41c64a45e1eb2503169108
2c6112e1e60f083467dc159ffb1ceb6d
2cba1a82a78f4dcbad1087c1b71588c9
2e2aa05a217aacf3105b4ba2288ad475
36cdf98bc79b6997dd4e3a6bed035dca
36dfd1f3bc58401f7d8b56af682f2c38
39012fb6f3a93897f6c5edb1a57f76a0
3dc8c4af51c8c367fbe7c7feef4f6744
407795b49789c2f9ca6eca1fbab3c73e
45691956a1ba4a8ecc912aeb9f1f0612
4afafa81731f8f02ba1b58073b47abdf
4e107d20832fff89a41f04c4dff1739b
4f16b33c074f1c31d26d193ec74aaa56
50f70e18fe0dedabefe9bf7679b6d56c
5443b81fbb439972de9e45d801ce907a
55040dd42ccf19b5af7802cba91dbd7f
551d41e2a4dd1497b3b27a91922d29cc
56bfe560518896b0535e0e4da44266d6
5aeecb78181f95829b6eeeefb2ce4975
5da203fa799d79ed5dde485c1ed6ba76
608bdeb4ce66c96b7a9289f8cf57ce02
6163103103cdacdc2770bd8e9081cfb4
629f0657e70901e3134dcae2e2027396
643c0b9904b32004465b95321bb525eb
6e564dadc344cd2d55374dbb00646d1b
735ff7defe0aaa24e13b6795b8e85539
751d2771af1694c0d5db9d894bd134ca
763b335abecbd3d9a6d923a13d6c2519
763e07083887ecb83a87c24542d70dc5
7b30231709f1ac69e4c9db584be692f0
7d0bbdda98f44a5b73200a2c157077df
7e3253abefa52aeae9b0451cfb273690
874058e8d8582bf85c115ce319c5b0af
88c0af9266679e655298ce19e231dff1
8ace0c156eb6f1548b96c593a15cbb25
933ab95dbf7eb0e9d9470a9272bfaff3
93e44ecfcffdbb1f7f3119251ddb7670
972092cbe7791d27fc9ff6e9acc12cc3
9865bb3b4e7112ec9269a98e029cf5cb
9ad8c68b478e9030859d8395d3fdb870
9f455f0efe8c5ff69adcc456dcf00da6
a1979aa159e0c54212122fd8acb24383
a4bfd2cfbb235d869d87f5485853edae
a8dc8985226b7b2c468bb82bad3e4d76
aa55dedff7f5dbe2cc4a47f2f8d44f94
ac5d3fc9da12255759a4a7e4eb3d63e7
acb01930466438d3ee981cb4fc57e196
acb4c5e2f92c84df15faa4846f17ff4e
b2e6d273a9b32739c9a26f267ab7d198
b328a01f5b82830cc250e0e429fca69f
b400bb2a2f9f0ce176368dc709359d3d
b6c08d0db4ca1d9e16f3e164745810ff
b79f7d41e30cf7d69a4d5d19dda8942e
bddbb91388dd2c01068cde88a5fb939e
c179ad6f118c97d3db5e04308d48f89e
c1b48ca3066214a8ec988757cc3022b3
c2472adbc1f251acf26b6deb8e7a174b
c687867e2c92448992c0fd00a2468752
c77331b822ca5b78c31b637984eda029
cb915d1bd7f21b29edc179092e967331
cc294f8727addc5d363bb23e10be4af2
d943ccb4a3c802d304ac29df259d14f2
db3e8d46587d86519f46f912700372e0
dbd7d010c4657b94f49ca85e4ff88790
e06a0257449fa8dc4ab8ccb6fbf2c50b
e613e5252a7172329ee25525758180a4
e742242f28842480e5c2b3357b7fd6ab
e938f73a10e3d2afbd77dd8ecb3a3854
eaee5bf17195a03d6bf7189965ee1bdb
ef8e417e5adb2366a3279d6680c3b979
f4eddae1c0b40bfedeb89e814a2267a5
f66992766d8f9204551b3c42336b4f6d
fad3a7ea0a0c6cb8e20e43667f560d7f
fbc310a9c431577f3489237d48763eea
ff7fd55796fa66c8245c0b90157c57c7
100d516821d99b09718b362d5a4b9a2f
6ae1bb06d10f253116925371c8e3e74b
72eff79f772b4c910259e3716f1acf49
85a26581f9aadeaa6415c01de60f932d
9ad6e0db5e2f6b59f14dd55ded057b69
a70fea1e6eaa77bdfa07848712efa259
be935b4b3c620558422093d643e2edfe
c70cce41ef0e4a206b5b48fa2d460ba4
41fb85acedc691bc6033fa2c4cf6a0bc
1684a5eafd51852c43b4bca48b58980f
08f83d98b18d3dff16c35a20e24ed49a

Domain
swift-fraud[.]com/documents/94563784.doc
cloud[.]yourdocument[.]biz/robots.txt
nl[.][redacted][.]kz/robots.txt 
nl[.][redacted][.]kz/api/v1 
comixed[.]org
coral-trevel[.]com
datsun-auto[.]com
di-led[.]com
eelu[.]biz
financialwiki[.]pw
flowindaho[.]info
freemsk-dns[.]com
gjhhghjg6798[.]com
glonass-map[.]com
great-codes[.]com
icafyfootsinso[.]ru
idedroatyxoaxi[.]ru
ivaserivaseeer[.]biz
Financialnewson-line[.]pw
Microloule461soft-c1pol361[.]com
microsoftc1pol361[.]com
mind-finder[.]com
operatemesscont.
paradise-plaza[.]com
public-dns[.]us
publics-dns[.]com
system-svc[.]net
systemsvc[.]net
traider-pro[.]com
travel-maps[.]info
update-java[.]net
veslike[.]com
worldnews24[.]pw
worldnewsonline[.]pw

IP Adrresses
94[.]140[.]116[.]69 
185[.]206[.]145[.]227
45[.]56[.]162[.]8 
94[.]156[.]35[.]118
185[.]243[.]115[.]28
185[.]206[.]146[.]226
94[.]140[.]116[.]176
108[.]61[.]197[.]254
112[.]78[.]3.142
118[.]163[.]216[.]107
131[.]72[.]138[.]18
141[.]60[.]162[.]150
146[.]185[.]220[.]200
162[.]221[.]183[.]109
162[.]221[.]183[.]11
173[.]201[.]45[.]158
173[.]237[.]187[.]203
174[.]143[.]147[.]168
185[.]10[.]56[.]59
185[.]10[.]56[.]59:443
185[.]10[.]58[.]175
188[.]138[.]16[.]214
188[.]138[.]98[.]105
188[.]40[.]224[.]76
190[.]97[.]165[.]126
194[.]44[.]218[.]102
195[.]113[.]26[.]195
198[.]101[.]229[.]24
199[.]255[.]116[.]12
199[.]79[.]62[.]69
204[.]227[.]182[.]242
208[.]109[.]248[.]146
209[.]222[.]30[.]5
216[.]170[.]117[.]7
216[.]170[.]117[.]88
217[.]172[.]183[.]184
217[.]172[.]186[.]179
218[.]76[.]220[.]106
31[.]131[.]17[.]79
31[.]131[.]17[.]81
37[.]235[.]54[.]48
37[.]46[.]114[.]148
37[.]59[.]202[.]124
5[.]101[.]146[.]184
5[.]135[.]111[.]89
5[.]61[.]32[.]118
5[.]61[.]38[.]52
50[.]115[.]127[.]36
50[.]115[.]127[.]37
55[.]198[.]6.56
61[.]7.219[.]61
62[.]75[.]224[.]229
66[.]55[.]133[.]86
67[.]103[.]159[.]140
69[.]64[.]48[.]125
74[.]208[.]170[.]163
78[.]129[.]184[.]4
79[.]99[.]6.187
81[.]4.110[.]128
83[.]16[.]41[.]202
83[.]166[.]234[.]250
83[.]246[.]67[.]58
85[.]25[.]117[.]154
85[.]25[.]20[.]109
85[.]25[.]207[.]212
87[.]106[.]8.177
87[.]98[.]153[.]34
88[.]198[.]184[.]241
91[.]194[.]254[.]38
91[.]194[.]254[.]90
91[.]194[.]254[.]91
91[.]194[.]254[.]92
91[.]194[.]254[.]93
91[.]194[.]254[.]94
91[.]194[.]254[.]98
93[.]95[.]102[.]109
93[.]95[.]99[.]232
94[.]247[.]178[.]230
95[.]0.250[.]113

Spear phishing emails
MD5: 8fa296efaf87ff4d9179283d42372c52
Name of attachment:???????????? ??-115 ?? 24.06.2014?.doc
Drops executable: MD5: a1979aa159e0c54212122fd8acb24383 (Carbanak)

MD5: 665b6cb31d962aefa3037b5849889e06
Name of attachment: ??????.doc
Drops executable: MD5: 4afafa81731f8f02ba1b58073b47abdf (Carbanak)

MD5: 2c395f211db2d02cb544448729d0f081
Name of attachment: new.doc
Drops executable: MD5: 551d41e2a4dd1497b3b27a91922d29cc (Carbanak)

MD5: 31e16189e9218cb131fdb13e75d0a94f
Name of attachment: ??????-?????????.doc
Drops executable: MD5: 4e107d20832fff89a41f04c4dff1739b (Carbanak)

MD5: db83e301564ff613dd1ca23c30a387f0
Name of attachment: ???????????? ??-115 ?? 21.07.2014?.doc
Drops executable: MD5: cb915d1bd7f21b29edc179092e967331 (Carbanak)

MD5: f88a983fc0ef5bb446ae63250e7236dd
Name of attachment: ???????????.msg
Drops executable: MD5: 3dc8c4af51c8c367fbe7c7feef4f6744 (Carbanak)

MD5: c4a6a111a070856c49905d815f87ab49
Name of attachment: ??????????????????
Drops executable: MD5: cb915d1bd7f21b29edc179092e967331 (Carbanak)

MD5: 86e48a9be62494bffb3b8e5ecb4a0310
Name of attachment: ???????????.doc
Drops executable: MD5: 3dc8c4af51c8c367fbe7c7feef4f6744 (Carbanak)

MD5: 6c7ac8dfd7bc5c2bb1a6d7aec488c298
Name of attachment: ???????????? ??-115 ?? 02.07.2014?..doc,
Drops executable: MD5: cb915d1bd7f21b29edc179092e967331 (Carbanak)

 Tags

carbanak group
carbon spider
anunak
atmitch
odinaff
mimikatz

Posted on: June 27, 2019


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite