New variants of the notorious Carbanak Trojan have surfaced in Europe and the United States, and researchers say that the malware now has its own proprietary communications protocol and the samples seen so far have been digitally signed.
Carbanak has been in use for several years, and researchers at Kaspersky Lab earlier this year revealed the details of a major Carbanak campaign that took banks for about $1 billion. That campaign targeted banks directly, rather than going after end users. The attacks begin with spearphishing emails that have rigged attachments containing the Carbanak backdoor. Once on a compromised machine, Carbanak gives attackers remote control of the machine and the criminals used that as a foothold on the bank’s network and then stole money in several different ways.
“These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber-robbery,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab’s Global Research and Analysis Team, said when the Carbanak report was released earlier this year.
Now, researchers at CSIS in Denmark say they’ve seen new variants of Carbanak that have some unique characteristics. The folder in which Carbanak installs itself and the filename it uses are both static. The malware injects itself into the svchost.exe process as a way to hide itself.
“Just recently, CSIS carried out a forensic analysis involving a Microsoft Windows client that was compromised in an attempt to conduct fraudulent online banking transactions. As part of the forensic task, we managed to isolate a signed binary, which we later identified as a new Carbanak sample,” Peter Kruse of CSIS wrote in an analysis of the malware.
“As several other advanced data stealing threats, Carbanak utilizes plugins. The plugins are installed using Carbanak’s own protocol and communicating with a hardcoded IP address over TCP port 443. The two plugins downloaded during our analysis were ‘wi.exe’ and ‘klgconfig.plug’.”
The signature on the samples that CSIS analyzed was from Comodo and the certificate is issued to a company in Moscow. Kruse said that targets in both the U.S. and Europe have been hit with the new variants of Carbanak.
“Carbanak is what we define as a financial APT. In its nature, it is very targeted and it is being deployed in small numbers. In this way, it tends to slide under the radar. We have observed at least four different new variants of Carbanak targeting key financial personal in large international corporations,” Kruse said.