The infamous Carbanak Banking Trojan that stole more than $1 billion from global financial organizations is active once again. Security researchers at Csis.dk managed to isolate a signed binary that later turned out to be a new sample of Carbanak, also known as Anunak.
Carbanak is a true nightmare to banks. Kaspersky Lab dubbed the Carbanak attack ‘the great bank robbery’. Analysis done by specialists at Kaspersky and Csis revealed that the Trojan has returned and is currently targeting corporations in Europe and the United States. The attacks are initiated via phishing scams.
VirusTotal has analyzed a malicious file associated with Carbanak. Have a look at the Carbanak scan report.
What’s New with the New Carbanak Variant?
One of the fascinating facts about Carbanak 2.0 is the fact that it is digitally signed. This was found on an affected Windows 7 system at the following location:
C://Program//DataMozilla//svchost.exe. Location on Windows XP: C://Documents and Settings//All Users//Application Data//Mozillasvchost.exe
It also adds a runkey to the registry to make sure that the code is executed when the system is rebooted.
CSIS Researchers confirm that the folder and the file are both static and can be employed as an Indicator of Compromise. An Indicator of Compromise is an artifact located on a network or on a single machine that confidentially indicates a computer infection.
NOTE that Carbanak injects itself into the process of svchost.exe. It also succeeds in hiding its presence in the memory.
Carbanak is also designed to use plugins. They are installed with the help of Carbanak’s protocol and communicate with a hard coded IP address over TCP port 443. The plugins successfully downloaded during the analysis of the Csis team were wi.exe and klgconfig.plug.
Differences between the old and the new version of Carbanak are:
- New targets are added.
- A new proprietary protocol is used.
- Random files and mutexes are used.
- Predefined IP addresses are used, instead of domains.
These differences aside, the binaries of both of the versions are almost the same. Interestingly enough, the command and control server of the new sample can be linked to a familiar bulletproof hosting enterprise.
Carbanak’s New Digital Signature
As already stated, the new Carbanak is digitally signed using Comodo. This fact can bring about several conclusions. First of all, the space between the dates when the company was registered, and a certificate was issued may indicate that cyber crooks most likely registered their own company. To do that, they may have used stolen identity or fake documents.
Another explanation is that the hacking team has recorded a real company instead of employing a stolen certificate (as with the old version). The reason the company was created in the first place may be to receive money from forged transactions. As previously noted by Kaspersky, Carbanak transactions are quite significant and need full control over the transfer process.
Global financial organizations, especially the ones located in Europe or the USA, can be in great danger since Carbanak acts in a strictly targeted manner. Furthermore, it can remain unnoticed because it is being deployed in small numbers. Additionally, there may be even more new variants of Carbanak planning to attack big business.