Updating your main database: your brain

May 29 2018

Carbanak and Cobalt malware attacks

Case study: The Carbanak cybercrime group

The Carbanak has had an interesting history over years of observation. The group attacked banks, e-payment systems, and financial institutions. The gang's activities can be split in three main phases, depending on the malware they used for attacks:

2013 - 2014 — the group developed and used Anunak malware and targeted mainly financial institutions and ATM networks.
2014 - 2016 — the group developed and used Carbanak malware, a newer and more sophisticated version of Anunak.
2016 - 2017 — the group developed custom malware using Cobalt Strike, a legitimate penetration testing framework.

Attackers used spear phishing emails with malicious attachments against employees of the targeted financial institutions, in some cases sending them to their personal email addresses. We believe the attackers also used drive by download attacks, but this second assumption is still not 100% confirmed. The anonymity of cyberspace makes it difficult to pin down exactly who commits which crimes, though, and whether they're actually all part of the same group or simply using similar tools.

On 26 March, Europool announced the arrest of the yet-unnamed computer criminal mastermind in Alicante, Spain. That individual is responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages. The cyberattacks mainly targeted banks in Russia, penetrating practically all of the country’s financial system. In Spain, attacks took place in Madrid mainly in the first quarter of 2017, resulting in the theft of about 500,000 euros.



The main suspect was identified as Denis K. by Spain’s interior ministry during a press briefing on the arrest. According to the police report, Denis K. was a Ukrainian who led the organized crime group in their malicious acts. Working with three other gang members, he sent out malware-infected emails to bank employees. If the employees opened the emails, the gang was able to take control remotely of their computers and access banks’ internal databases and systems.

Using redBorder is also greatly advised to bank companies. The use of a cybersecurity operations in real time will significantly reduce the level of attacks by hackers such as the Carbanak cybercrime group and help in keeping at bay many cyberattacks. Also, some general tips to prevent this situation is: do not open suspicious email (especially if they have an attachment), update your software and turn on heuristics in your security suites.

Now bank customers and employees have been advised to avoid opening any link sent by an unknown sender. This will assist in mitigating any form of spear phishing attack directed to them by hackers intending to steal their funds online.


This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read more