Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Version of Carbanak Malware Spotted in Attacks

A new version of the notorious Carbanak Trojan, also known as Anunak, has been spotted in the wild by researchers at Denmark-based CSIS Security Group.

A new version of the notorious Carbanak Trojan, also known as Anunak, has been spotted in the wild by researchers at Denmark-based CSIS Security Group.

Carbanak made headlines in February when Kaspersky Lab revealed that it had been used by a multinational cybercriminal gang to pull off an unprecedented cyber heist. The cybercrooks used the malware to infiltrate over 100 banks across 30 countries and steal as much as one billion dollars. Most of the victims were located in Russia, the U.S., Germany, China and Ukraine.

There have been only a few reports of Carbanak activity since Kaspersky published its research paper on the group’s operations. However, as CSIS discovered last week, the Carbanak malware is still being used in attacks targeting major organizations.

Experts discovered the first new Carbanak sample last week while conducting forensic analysis on an infected Windows machine that malicious actors had compromised in an effort to carry out fraudulent online banking transactions.

CSIS’s analysis has revealed that the Carbanak gang has been targeting large corporations in Europe and the United States using spear phishing as the attack vector.

While the binaries identified by the security firm are almost identical to previous versions, experts noted that there are some differences. For example, the new variant has been used to target organizations located in new geographical locations.

The new Carbanak also uses random files and mutexes. For command and control (C&C) communications, the Trojan relies on predefined IP addresses instead of domains, and it uses a new proprietary protocol. One of the new samples has been communicating with a C&C server hosted by a well known bulletproof hosting firm, CSIS said.

Researchers have also pointed out that the new Carbanak version is signed using a code-signing certificate issued by Comodo to a Russia-based wholesale company. Experts believe this company might have been set up by the cybercriminals using a fake or stolen identity. They’ve used this company to request a legitimate code-signing certificate instead of having to sign their malware with stolen certificates.

“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,” Peter Kruse, partner and e-crime specialist at CSIS, wrote in a blog post.

“Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar,” Kruse explained. “We have observed at least four different new variants of Carbanak targeting key financial personnel in large international corporations.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.