Connect with us

Hi, what are you looking for?


Malware & Threats

Carbanak Group Targets Banks in Middle East, U.S.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

The activities of Carbanak, also known as Anunak, came to light in February 2015, when Kaspersky Lab revealed that the group had stolen as much as $1 billion from 100 banks in Russia and many other countries. The cybercrime ring’s activities ceased for roughly five months after Kaspersky published its report.

In September 2015, Denmark-based CSIS Security Group reported that the attackers had created a new version of the Carbanak malware, which they had been using to target major organizations. In February, one year after its initial report on Carbanak, Kaspersky said it spotted new APT-style attacks targeting not only banks, but also the budgeting and accounting departments of other types of companies.

On Monday, Proofpoint reported observing a campaign aimed at Middle Eastern countries such as the United Arab Emirates, Kuwait, Lebanon and Yemen. The attackers seem to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, enterprise software firms, and professional services companies.

The targets are sent a spear phishing email containing a URL that points to a malicious document designed to exploit an old Office vulnerability (CVE-2015-2545) in order to drop and execute a malware downloader (MSIL/JScript). The downloader then drops the Carbanak payload identified as Spy.Sekur.

In addition to Spy.Sekur, attackers have also sent out emails containing links to a Java-based remote access Trojan (RAT) known as jRAT, which allows attackers to chat with victims, manage files, log keystrokes, manage processes, copy data from the clipboard, capture images via the webcam, record audio, modify registry entries, and shut down or reboot the infected device.

A different campaign monitored by Proofpoint appears to be aimed at the employees of US- and Europe-based companies in the financial and mass media sectors, and apparently unrelated targets specializing in fire, safety and HVAC. The targets are mainly account managers, credit controllers and IT support workers.

In these attacks, the Carbanak gang sent out emails containing malicious Word documents which rely on macros to deliver Spy.Sekur to victims. The server hosting Spy.Sekur was also found to store a variant of the Netwire malware, although this threat has not been seen in any of the email attacks.

Advertisement. Scroll to continue reading.

Experts have also found possible links between Carbanak and threats such as Cybergate, MorphineRAT and DarkComet.

According to Proofpoint, most of the malicious emails were sent to organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.

Proofpoint picked up on the targeted emails in early March. Since the last major Carbanak heist was estimated to take 3-4 months since the initial infections, experts believe that these attacks could represent the early stages of new campaigns.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights