Connect with us

Hi, what are you looking for?



Carbanak Hackers Refine Intrusion Tactics

The prolific Carbanak crime group has refined its intrusion strategy and expanded its arsenal of tools used in attacks, a new Trustwave report reveals.

The prolific Carbanak crime group has refined its intrusion strategy and expanded its arsenal of tools used in attacks, a new Trustwave report reveals.

The Carbanak group, also known as Anunak, was exposed in 2015 after it managed to steal an estimated $1 billion from more than 100 banks across 30 countries. In early 2016, the group continued to target banks, mainly in the Middle East and U.S.

In November last year, Trustwave observed a campaign targeting organizations in the hospitality sector where Carbanak hackers would call customer service saying they couldn’t make a reservation and requested to send information via email.

Earlier this year, the Carbanak malware was seen using Google services for command and control (C&C) communication, and security researchers revealed that the group would deploy a large number of tools as part of their attacks.

The most recent attacks associated with the group continue to employ a variety of tools, but have switched to new social engineering techniques. The attackers now send a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call 30 minutes later.

The actors claim that the sender had trouble with the online ordering system, or that the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants. The phone calls were meant to ensure the victim opened the malicious document, the security researchers say.

One of the analyzed infected RTF documents dropped two VBS and one PS1 file onto the targeted system. To achieve persistence, a scheduled task to run the main malware file every 25 minutes was created. On top of that, the C&C malware creator script was observed dropping additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.

The INI file in this campaign is used to issue commands to the compromised machine and to reflect the status of previous commands. The INI processing script, which parses and processes the INI file, provides commands such as Screenshot (save screenshot as screenshot.png), Runvbs, Runexe, Runps, Update, and Delete.

Advertisement. Scroll to continue reading.

The INI file also   contains information on whether the malware has transmitted the victim’s system information to the attacker. The sent information includes OS name and version, available physical memory, total physical and virtual memory, time zone, computer name, a list of processes, user name, and processor and BIOS information.

The attackers no longer used user accounts and passwords for lateral movement. Instead, the malware would bypass authentication on the remote system and use SMB commands to locate vulnerable hosts and compromise them. 

Trustwave also notes that the Carbanak malware writers have used various methods to hide the functionality of their malicious programs: PowerShell script file created from base64 encoded string hidden in malicious Word document; three levels of decoding for the final PowerShell script; a base64 encoded string in this script; alphanumeric shellcode and encoded payload obtained via DNS TXT records; and more.

To stay protected, organization are advised to perform regular security awareness training for all employees and pay particular attention to spear phishing, do spear phishing exercises, use an email server or appliance that can assist with malware detection, disable macros by default on all Office applications, use a SIEM or other log-and-event aggregation system so that aggregated network traffic can be examined, ensure IDS rules are able to detect metasploit modules, blacklist all PowerShell scripts and VBS scripts not used by the organization, perform continuous DNS monitoring, and restrict DNS traffic.

Related: Carbanak Hackers Hit Hospitality Firms With New Tactics

Related: Carbanak Group Used Numerous Tools in Recent Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.