Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Carbanak Group Targets Banks in Middle East, U.S.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

The activities of Carbanak, also known as Anunak, came to light in February 2015, when Kaspersky Lab revealed that the group had stolen as much as $1 billion from 100 banks in Russia and many other countries. The cybercrime ring’s activities ceased for roughly five months after Kaspersky published its report.

In September 2015, Denmark-based CSIS Security Group reported that the attackers had created a new version of the Carbanak malware, which they had been using to target major organizations. In February, one year after its initial report on Carbanak, Kaspersky said it spotted new APT-style attacks targeting not only banks, but also the budgeting and accounting departments of other types of companies.

On Monday, Proofpoint reported observing a campaign aimed at Middle Eastern countries such as the United Arab Emirates, Kuwait, Lebanon and Yemen. The attackers seem to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, enterprise software firms, and professional services companies.

The targets are sent a spear phishing email containing a URL that points to a malicious document designed to exploit an old Office vulnerability (CVE-2015-2545) in order to drop and execute a malware downloader (MSIL/JScript). The downloader then drops the Carbanak payload identified as Spy.Sekur.

In addition to Spy.Sekur, attackers have also sent out emails containing links to a Java-based remote access Trojan (RAT) known as jRAT, which allows attackers to chat with victims, manage files, log keystrokes, manage processes, copy data from the clipboard, capture images via the webcam, record audio, modify registry entries, and shut down or reboot the infected device.

A different campaign monitored by Proofpoint appears to be aimed at the employees of US- and Europe-based companies in the financial and mass media sectors, and apparently unrelated targets specializing in fire, safety and HVAC. The targets are mainly account managers, credit controllers and IT support workers.

In these attacks, the Carbanak gang sent out emails containing malicious Word documents which rely on macros to deliver Spy.Sekur to victims. The server hosting Spy.Sekur was also found to store a variant of the Netwire malware, although this threat has not been seen in any of the email attacks.

Advertisement. Scroll to continue reading.

Experts have also found possible links between Carbanak and threats such as Cybergate, MorphineRAT and DarkComet.

According to Proofpoint, most of the malicious emails were sent to organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.

Proofpoint picked up on the targeted emails in early March. Since the last major Carbanak heist was estimated to take 3-4 months since the initial infections, experts believe that these attacks could represent the early stages of new campaigns.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.