A year on, Carbanak returns with two more cybergangs

The Carbanak cybergang believed to have targeted more than 100 banks and financial institutions globally – costing them as much as US$1bnhave reemerged with two other new gangs also active, reports Kaspersky Lab.

The Russian security company, which a year ago warned that cybercriminals were copying the tools and tactics of nation-state backed advanced persistent threats (APTs) to target banks, said that ‘Carbanak 2.0’ had been joined by two more groups – Metel and GCMAN – working in the same style:.

Each attacks financial organisations using covert APT-style reconnaissance and customised malware along with legitimate software and new, innovative schemes to cash out.
Kaspersky Lab reports that among the schemes used by the Metel cybercriminal group is one by which gaining control over machines inside a bank with access to money transactions – such as the bank’s call centre/support computers – allows the gang to automate the rollback of automated teller machine (ATM) transactions.

The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken. In examples cited by the security company, the criminal group steals money in night-time drives around Russian cities, emptying ATM machines belonging to various banks, repeatedly using the same debit cards issued by the compromised bank. In the space of just one night they manage to cash out.

“Nowadays, the active phase of a cyber-attack is becoming shorter,” said Sergey Golovanov, principal security researcher within Kaspersky Lab’s global research and analysis team. “When the attackers become skilled in a particular operation, it takes them just days or a week to take what they want and run.”

Forensic investigation by the team revealed that Metel operators achieve their initial infection through specially-crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack (aka CottonCastle), targeting vulnerabilities in the victim’s browser.

Once inside the network, the cybercriminals use legitimate and penetration-testing (pentesting) tools to move laterally, hijacking the local domain controller and eventually locating and gaining control over computers used by the bank’s employees responsible for payment card processing.

Widespread infection?

Kaspersky Lab says that the Metel group remains active as an investigation into its activities gets underway. Although no attacks outside Russia have been identified, the company warns that the infection could prove more widespread and banks worldwide should proactively check for infection.

“All three of the gangs identified are shifting toward the use of malware accompanied by legitimate software in their fraudulent operations,” the company comments. “Why write a lot of custom malware tools, when legitimate utilities can be just as effective, and trigger far fewer alarms?”

The GCMAN gang is potentially even more threatening as it can successfully attack an organisation without using malware, running legitimate and pentesting tools only. Kaspersky Lab’s investigations revealed GCMAN using Putty, VNC, and Meterpreter utilities to move laterally through the network until the attackers reached a machine which could be used to transfer money to e-currency services without alerting other banking systems.

In one attack, the cybercriminals stayed in the network for 18 months before activating the theft. Money was transferred in sums of about US$200, the upper limit for anonymous payments in Russia. Every minute, software utility the Cron job scheduler fired a malicious script, and another sum was transferred to an e-currency accounts belonging to a money mule. The transaction orders were sent directly to the bank’s upstream payment gateway without appearing in the bank’s internal systems.

Criminals learning fast

Added to these new threats, Carbanak 2.0 marks the re-emergence of the Carbanak APT, with the same tools and techniques but a different victim profile and innovative ways to cash out, says Kaspersky Lab.

In addition to banks, targets include the budgeting and accounting departments of various organisations. In an example observed by the security company, the Carbanak 2.0 gang accessed a financial institution and altered the credentials of ownership for a large company. The information was modified to name a money mule as a shareholder of the company, displaying their ID information.

“Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks,” says Golovanov. “The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that’s where the money is.

“And we aim to show how and where, specifically, the threat actors might hit to get your money. I expect that after hearing about GCMAN attacks, you will go and check how your web banking servers are protected; while in the case of Carbanak, we advise protecting the database that contains information about the owners of accounts, not just their balances.”

Kaspersky Lab is urging all organisations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems and report the intrusion to law enforcement. The company, which produces security products to detect and block the malware used by Carbanak 2.0, Metel and GCMAN is also releasing crucial Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks.


Related reading