ESET analyzes
new malware samples used by the Carbanak financial APT group previously
responsible for the theft of millions of dollars, credit cards and intellectual
property.
At the end of August, ESET telemetry has detected traces of
activity of the infamous APT group, a.k.a Carbanak. ESET researchers
investigating this gang’s activities offer an in-depth analysis of their
findings in the blogpost titled “Carbanak Gang is Back and Packing New Guns,” which is
now available on WeLiveSecurity.com.
With victims mostly in the United States, Germany,
United Arab Emirates, United Kingdom, the Carbanak group keeps attacking
specific targets related to the finance industry, including banks,
Forex-trading companies, and even an American casino hotel.
“For infecting, the gang doesn’t use just one malware
family to carry out its operations, but it employs several of them. The code in
these different families contains similar traits, including the same digital
certificate,” says Anton Cherepanov, Malware Researcher at ESET. “In fact, Win32/Spy.Agent.ORM, a new first-stage component used
by the attackers, also known as Win32/Toshliph, as well as Win32/Wemosis, a backdoor capable of scraping
memory of Point-of-Sale systems for credit card data, both share some
similarities in their code with “the standard” Carbanak malware, detected by
ESET as Win32/Spy.Sekur.”
Furthermore, the attackers are updating their
arsenal with the latest exploits, such as the Microsoft Office remote code
execution vulnerability (CVE-2015-1770) or the zero-day exploit leaked in the
Hacking Team dumps (CVE-2015-2426).
ESET research team continues to monitor the
Carbanak threats. For any enquiries or sample-submissions related to the
subject, please contact us at: threatintel@eset.com.