17.9.15

Carbanak Gang Returns for More Money


ESET analyzes new malware samples used by the Carbanak financial APT group previously responsible for the theft of millions of dollars, credit cards and intellectual property.

At the end of August, ESET telemetry has detected traces of activity of the infamous APT group, a.k.a Carbanak. ESET researchers investigating this gang’s activities offer an in-depth analysis of their findings in the blogpost titled “Carbanak Gang is Back and Packing New Guns,” which is now available on WeLiveSecurity.com.

With victims mostly in the United States, Germany, United Arab Emirates, United Kingdom, the Carbanak group keeps attacking specific targets related to the finance industry, including banks, Forex-trading companies, and even an American casino hotel.   

“For infecting, the gang doesn’t use just one malware family to carry out its operations, but it employs several of them. The code in these different families contains similar traits, including the same digital certificate,” says Anton Cherepanov, Malware Researcher at ESET. “In fact, Win32/Spy.Agent.ORM, a new first-stage component used by the attackers, also known as Win32/Toshliph,  as well as Win32/Wemosis, a backdoor capable of scraping memory of Point-of-Sale systems for credit card data, both share some similarities in their code with “the standard” Carbanak malware, detected by ESET as Win32/Spy.Sekur.”

Furthermore, the attackers are updating their arsenal with the latest exploits, such as the Microsoft Office remote code execution vulnerability (CVE-2015-1770) or the zero-day exploit leaked in the Hacking Team dumps (CVE-2015-2426).


ESET research team continues to monitor the Carbanak threats. For any enquiries or sample-submissions related to the subject, please contact us at: threatintel@eset.com.