Carbanak

Carbanak is a backdoor Trojan that may be associated with Russian spyware campaigns, particularly ones targeting banks and other institutions in the finance sector. While standard security protocols can protect your PCs from Carbanak infiltrations, Carbanak's developers do provide regular updates to this Trojan with the express purpose of avoiding detection by common security tools. Regularly updating your anti-malware products is, therefore, critical for identifying and removing Carbanak before it can compromise your business.

When Robbers Go Straight to the Source

Carbanak (which may refer to both the Trojan and the organization responsible for its development) is a backdoor Trojan that targets banks, rather than customers, with its attacks. Prior campaigns enacted by Carbanak Trojans have resulted in widespread security compromises branching out into the networks of local ATM machines, causing estimated losses of up to a billion dollars. Although Carbanak uses code likely 'borrowed' from the Carberp Trojan, Carbanak benefits from an individualized development plan, giving Carbanak minor but regular updates for evading the latest solutions in anti-malware detection. Using rotating sets of certificates gathered from legitimate companies, such as AV vendor Comodo, gives Carbanak an additional layer of armor.

So far, there is no evidence of Carbanak being distributed in the wild, or towards random victims. Instead, specially-crafted e-mail messages distribute file attachments for installing Carbanak on the systems of any of dozens of separate financial organizations. The use of Svchost.exe to conceal itself lets Carbanak constantly run without any obvious clues that Carbanak is operating.

Other attributes of the newest versions of Carbanak that malware researchers found worthy of note may include:

• Randomized file names may increase the difficulty of identifying Carbanak's files on sight.
• The switch to a new, proprietary protocol for its plugin management system emphasizes Carbanak's continuing devotion to its modular structure. The ability to swap out modules may allow Carbanak to implement new features and characteristics, as instructed.
• Like other backdoor Trojans, Carbanak uses a concealed network connection for contacting Command & Control servers operated by third parties. Via these servers, Carbanak may download other threats, upload collected data or modify the infected PC's settings and files according to any instructs Carbanak receives.

Unusual network configurations are one of the few, visible hallmarks of Carbanak infections, which may spread to compromise multiple systems to facilitate their illicit cash transfers.

Putting Down the Lineage of Carberp Campaigns

Russia is a frequent actor, in the form of an inadvertent host, for a range of diverse threat campaigns. Carbanak's creators have shown little care in concealing their Russian operating basis, and may even have gone as far as registering a legal corporate entity for processing Carbanak's collected funds. On one hand, there are no indications of Carbanak's attacks being government-sanctioned. On the other side, the traditional difficulty of cracking down on Russia-based hackers makes it likely that the Carbanak project may enjoy a long lifespan.

Disguised e-mail files and links are the popular method threat authors favor for compromising companies, NGOs and government systems. Carbanak Trojans utilize the same techniques for initial infections, although secondary compromises are more likely of being caused via network changes. With borders offering no protection from Carbanak attacks, banking institutions should continue observing the highest degrees of PC security protocols. Scanning e-mail files and updating your anti-malware software can save you the trouble of needing to delete Carbanak later or recover from massive losses in funds.

Technical Details