Carbanak APT

VIRUS DEFINITION

Virus Type: Advanced Persistent Threat (APT)

What is Carbanak?

Carbanak is the name we use for an APT-style campaign targeting (but not limited to) financial institutions. We say APT-like, however the attack is not strictly speaking Advanced. Strictly speaking, the main feature defining the attackers is Persistence.

The attackers infiltrate the victim´s network looking for the critical system they can use for cashing money out. Once they have stolen a significant amount of money (from 2.5 to 10 MM USD per entity), they abandon the victim.

How is this different from any other APT attack?

The main difference with other APT attacks is that attackers do not see data but money as their primary target.

The Carbanak criminal gang responsible for the cyberrobbery used techniques drawn from the arsenal of targeted attacks. The plot marks the beginning of a new stage in the evolution of cybercriminal activity, where malicious users steal money directly from banks, and avoid targeting end users.

Does Kaspersky Lab detect all variants of this malware?

Yes, we detect Carbanak samples as Backdoor.Win32.Carbanak and Backdoor.Win32.CarbanakCmd.

All Kaspersky Lab’s corporate products and solutions detect known Carbanak samples. To raise the level of protection, it is recommended to switch on Kaspersky's Proactive Defense Module included in each modern product and solution.

We also have some general recommendations:

• Do not open suspicious emails, especially if they have an attachment;
• Update your software (in this campaign no 0days were used)
• Turn on heuristics in your security suites, this way it is more likely that such new samples will be detected and stopped from the beginning.

How to identify the intrusion?

There are Indicators of Compromise information included in our detailed technical research paper.

Kaspersky Lab urges all financial organizations to carefully scan their networks for the presence of Carbanak and, if detected, report the intrusion to law enforcement.

So far, we've observed two main objectives from the attackers:

• Intelligence gathering
• Facilitating other types of attacks

So far, victims of Regin were identified in 14 countries:

• Algeria
• Afghanistan
• Belgium
• Brazil
• Fiji
• Germany
• Iran
• India
• Indonesia
• Kiribati
• Malaysia
• Pakistan
• Russia
• Syria

In total, we counted 27 different victims, although it should be pointed out that the definition of a victim here refers to a full entity, including their entire network. The number of unique PCs infected with Regin is of course much, much higher.

Is this a nation-state sponsored attack?

Considering the complexity and cost of Regin development, it is likely that this operation is supported by a nation-state.

What country is behind Regin?

Attribution remains a very difficult problem when it comes to professional attackers such as those behind Regin.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion?

Yes, IOC information has been included in our detailed technical research paper.