Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Carbanak trojan reloaded! A new variant spotted in the wild

The CSIS Security Group has spotted a new version of the notorious Carbanak Trojan in the wild targeting financial organizations in Europe and US. Do you remember the Carbanak gang? In February, researchers from Kaspersky discovered that a multinational gang of hackers dubbed Carbanak that swiped 1 Billion dollars from 100 financial institutions across 30 countries, most of the […]

Carbanak trojan reloaded! A new variant spotted in the wild

The CSIS Security Group has spotted a new version of the notorious Carbanak Trojan in the wild targeting financial organizations in Europe and US.

Do you remember the Carbanak gang? In February, researchers from Kaspersky discovered that a multinational gang of hackers dubbed Carbanak that swiped 1 Billion dollars from 100 financial institutions across 30 countries, most of the victims were located in Russia, US, Germany, China and Ukraine.

Last week the CSIS Security Group discovered that the Carbanak malware is still being used in spear phishing attacks against major organizations in UE and Europe.

“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample. ” states a blog post published by the CSIS.

“We speculate that the main purpose of this company is to receive money from fraudulent transactions. As stated in the Kaspersky report, Carbanak-related transfers are rather huge. Possibly, they have registered a company and opened bank accounts in order to receive their stolen money while having full control of the transferring process,”

The experts noticed that binaries used by the recently discovered Carbanak instance are similar to the previous versions, apart for a number of improvement. The new binaries use mutexes and random files, meanwhile the communication with the C&C server relies on a proprietary protocol.

“We have observed at least four different new variants of Carbanak targeting key financial personnel in large international corporations.”

The new Carbanak trojan relies on predefined IP addresses instead of domains, in order to improve the evasion capability, its code is signed with a digital certificate issued by Comodo to a Russia-based wholesale company.

Carbanak digital certificate

One of the new samples analyzed by the researchers was communicating with a C&C server hosted on a bulletproof hosting company.

The CSIS reported the following list of differences between these new variants and the previously observed Carbanak:
–    new geographical targets
–    a new proprietary protocol
–    the use of random files (i. e. main component is static) and mutexes
–    predefined IP address (previous variants were using domains)

The experts at CSIS defined the Carbanak gang a financial APT due to the targeted attacks it carried out.

Pierluigi Paganini

(Security Affairs – malware, Carbanak cybergang)