Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Carbanak Group Targets Banks in Middle East, U.S.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

Researchers at security firm Proofpoint have discovered what they believe to be new Carbanak campaigns aimed at organizations in the Middle East, the United States and other countries.

The activities of Carbanak, also known as Anunak, came to light in February 2015, when Kaspersky Lab revealed that the group had stolen as much as $1 billion from 100 banks in Russia and many other countries. The cybercrime ring’s activities ceased for roughly five months after Kaspersky published its report.

In September 2015, Denmark-based CSIS Security Group reported that the attackers had created a new version of the Carbanak malware, which they had been using to target major organizations. In February, one year after its initial report on Carbanak, Kaspersky said it spotted new APT-style attacks targeting not only banks, but also the budgeting and accounting departments of other types of companies.

On Monday, Proofpoint reported observing a campaign aimed at Middle Eastern countries such as the United Arab Emirates, Kuwait, Lebanon and Yemen. The attackers seem to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, enterprise software firms, and professional services companies.

The targets are sent a spear phishing email containing a URL that points to a malicious document designed to exploit an old Office vulnerability (CVE-2015-2545) in order to drop and execute a malware downloader (MSIL/JScript). The downloader then drops the Carbanak payload identified as Spy.Sekur.

In addition to Spy.Sekur, attackers have also sent out emails containing links to a Java-based remote access Trojan (RAT) known as jRAT, which allows attackers to chat with victims, manage files, log keystrokes, manage processes, copy data from the clipboard, capture images via the webcam, record audio, modify registry entries, and shut down or reboot the infected device.

A different campaign monitored by Proofpoint appears to be aimed at the employees of US- and Europe-based companies in the financial and mass media sectors, and apparently unrelated targets specializing in fire, safety and HVAC. The targets are mainly account managers, credit controllers and IT support workers.

In these attacks, the Carbanak gang sent out emails containing malicious Word documents which rely on macros to deliver Spy.Sekur to victims. The server hosting Spy.Sekur was also found to store a variant of the Netwire malware, although this threat has not been seen in any of the email attacks.

Experts have also found possible links between Carbanak and threats such as Cybergate, MorphineRAT and DarkComet.

According to Proofpoint, most of the malicious emails were sent to organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.

Proofpoint picked up on the targeted emails in early March. Since the last major Carbanak heist was estimated to take 3-4 months since the initial infections, experts believe that these attacks could represent the early stages of new campaigns.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.