Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Carbanak New Versions Target Europe and USA

NameCarbanak
TypeBanking Trojan
Short DescriptionCarbanak is a malicious Banking Trojan, that has several new variants.
SymptomsThe svchost.exe is infected.
Distribution MethodPhishing scams.
Detection toolDownload Malware Removal Tool, to See If Your System Has Been Affected By Carbanak

The infamous Carbanak Banking Trojan that stole more than $1 billion from global financial organizations is active once again. Security researchers at Csis.dk managed to isolate a signed binary that later turned out to be a new sample of Carbanak, also known as Anunak.

Trojan-Horse

Carbanak is a true nightmare to banks. Kaspersky Lab dubbed the Carbanak attack ‘the great bank robbery’. Analysis done by specialists at Kaspersky and Csis revealed that the Trojan has returned and is currently targeting corporations in Europe and the United States. The attacks are initiated via phishing scams.

VirusTotal has analyzed a malicious file associated with Carbanak. Have a look at the Carbanak scan report.

What’s New with the New Carbanak Variant?

One of the fascinating facts about Carbanak 2.0 is the fact that it is digitally signed. This was found on an affected Windows 7 system at the following location:


C://Program//DataMozilla//svchost.exe. Location on Windows XP: C://Documents and Settings//All Users//Application Data//Mozillasvchost.exe

It also adds a runkey to the registry to make sure that the code is executed when the system is rebooted.

CSIS Researchers confirm that the folder and the file are both static and can be employed as an Indicator of Compromise. An Indicator of Compromise is an artifact located on a network or on a single machine that confidentially indicates a computer infection.

NOTE that Carbanak injects itself into the process of svchost.exe. It also succeeds in hiding its presence in the memory.

Carbanak is also designed to use plugins. They are installed with the help of Carbanak’s protocol and communicate with a hard coded IP address over TCP port 443. The plugins successfully downloaded during the analysis of the Csis team were wi.exe and klgconfig.plug.

Differences between the old and the new version of Carbanak are:

  • New targets are added.
  • A new proprietary protocol is used.
  • Random files and mutexes are used.
  • Predefined IP addresses are used, instead of domains.

These differences aside, the binaries of both of the versions are almost the same. Interestingly enough, the command and control server of the new sample can be linked to a familiar bulletproof hosting enterprise.

Carbanak’s New Digital Signature

As already stated, the new Carbanak is digitally signed using Comodo. This fact can bring about several conclusions. First of all, the space between the dates when the company was registered, and a certificate was issued may indicate that cyber crooks most likely registered their own company. To do that, they may have used stolen identity or fake documents.

Another explanation is that the hacking team has recorded a real company instead of employing a stolen certificate (as with the old version). The reason the company was created in the first place may be to receive money from forged transactions. As previously noted by Kaspersky, Carbanak transactions are quite significant and need full control over the transfer process.

Global financial organizations, especially the ones located in Europe or the USA, can be in great danger since Carbanak acts in a strictly targeted manner. Furthermore, it can remain unnoticed because it is being deployed in small numbers. Additionally, there may be even more new variants of Carbanak planning to attack big business.

NOTE! Substantial notification about the (Carbanak)threat: Manual removal of (Carbanak) requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.