A new version of the notorious Carbanak Trojan, also known as Anunak, has been spotted in the wild by researchers at Denmark-based CSIS Security Group.
Carbanak made headlines in February when Kaspersky Lab revealed that it had been used by a multinational cybercriminal gang to pull off an unprecedented cyber heist. The cybercrooks used the malware to infiltrate over 100 banks across 30 countries and steal as much as one billion dollars. Most of the victims were located in Russia, the U.S., Germany, China and Ukraine.
There have been only a few reports of Carbanak activity since Kaspersky published its research paper on the group’s operations. However, as CSIS discovered last week, the Carbanak malware is still being used in attacks targeting major organizations.
Experts discovered the first new Carbanak sample last week while conducting forensic analysis on an infected Windows machine that malicious actors had compromised in an effort to carry out fraudulent online banking transactions.
CSIS’s analysis has revealed that the Carbanak gang has been targeting large corporations in Europe and the United States using spear phishing as the attack vector.
While the binaries identified by the security firm are almost identical to previous versions, experts noted that there are some differences. For example, the new variant has been used to target organizations located in new geographical locations.
The new Carbanak also uses random files and mutexes. For command and control (C&C) communications, the Trojan relies on predefined IP addresses instead of domains, and it uses a new proprietary protocol. One of the new samples has been communicating with a C&C server hosted by a well known bulletproof hosting firm, CSIS said.
Researchers have also pointed out that the new Carbanak version is signed using a code-signing certificate issued by Comodo to a Russia-based wholesale company. Experts believe this company might have been set up by the cybercriminals using a fake or stolen identity. They’ve used this company to request a legitimate code-signing certificate instead of having to sign their malware with stolen certificates.
“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,” Peter Kruse, partner and e-crime specialist at CSIS, wrote in a blog post.
“Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar,” Kruse explained. “We have observed at least four different new variants of Carbanak targeting key financial personnel in large international corporations.”