Carbanak 2.0: A year ago, the Kaspersky Lab warned that digital criminals would be starting to adopt tools and tactics to implement state-sponsored attacks APT (Advanced Persistent Threat) for robberies. 
This year, the company confirms the return of the criminal campaign Carbanak, as Carbanak 2.0, while revealing two more teams that work in the same way: Metel and GCMAN. These groups are attacking financial institutions, using covert admissions similar to those of APT attacks, as well as custom malware, coupled with legitimate software and new, innovative methods to proceed with cash redemption.
Kaspersky Lab's Global Research and Analysis Team made these disclosures during the Kaspersky Security Analyst Summit (SAS), the company's annual event, which is a dialogue platform for malware researchers, developers, law enforcement and Response Teams (CERT) from around the world and members of the wider subject research community better safetys.
The digital criminal group Withel uses many techniques. The interest in its action focuses mainly on the use of a highly intelligent method of action. In particular, this group acquires control of devices and systems within a bank, which have access to money transactions (eg, call center, support computers) to automate the return of transactions from ATM machines.
The reset feature ensures that the debit card balance remains the same regardless of the number of ATM transactions. In the cases observed so far, the criminal group steals money as follows: Traveling at night, making various stops in Russian cities and emptying the ATMs of various banks, repeatedly using the same debit cards issued by the "hacked" bank . In this way, they cash out the money they want in just one night.
"Today, the active phase of a digital assault is getting smaller. When attackers specialize in a specific function, they only need a few days or a week to get what they want and leave the scene, , commented Sergey Golovanov, Principal Security Researcher of Kaspersky Lab's Worldwide Research and Analysis Group.
During the forensic investigation, Kaspersky Lab experts discovered that those responsible behind the Metel campaign achieve the initial “contamination» των συστημάτων, μέσω ειδικά διαμορφωμένων spear-phishing email, που περιέχουν κακόβουλα συνημμένα αρχεία, καθώς και μέσω του πακέτου exploit Niteris, με στόχο τα vulnerabilities in the victim's browser. Once in the network, cybercriminals use legitimate tools and penetration testing tools to move stealthily, breaching the local domain controller and – finally – locating and controlling the computers of bank employees, who are responsible for processing card payments.
The Metel team remains active and research on its activities is under way. So far, no attacks have been detected outside Russia. However, it is suspected that "contamination" is much more prevalent. For this reason, it is proposed to carry out preventive audits by the banks.
All three detected gangs are turning to the use of malicious software accompanied by legitimate software for their fraudulent activities. Why create many custom malware tools, when many legitimate media can be as effective, triggering so fewer alarms?
However, as far as attempts to conceal, the group GCMAN goes even further. Sometimes, it can successfully attack, without using any malicious program, "running" only legitimate tools and penetration testing tools. In cases that have been investigated by Kaspersky Lab specialists, the GCMAN campaign used the Putty, VNC and Meterpreter utilitys to hide secretly on the network until attackers arrive at a machine that could be used to transfer money to electronic money services without warning other banking systems.
In one of the attacks investigated by Kaspersky Lab, digital criminals have stayed on the network for a year and a half before they steal theft. The money was transferred to about $ 200. This is the maximum amount for anonymous payments in Russia. Every minute, the CRON scheduler sent a malicious scenario and another amount was transferred to electronic money accounts, which were intended for money laundering. Transaction orders were sent directly to the bank's upstream payment gateway and were no longer present in its internal systems.
Finally, the Carbanak 2.0 marks the reappearance of the Carbanak Attack APT. Within this campaign, the same tools and techniques are used, but the profile of the victims is different, and innovative ways of redeeming money are also observed.
The objectives of the Carbanak 2.0 campaign are not limited to banks, but extend to the financial directorates and accounts of organizations that are of interest to digital criminals. In a typical case investigated by Kaspersky Lab, the Carbanak 2.0 gang gained access to a financial institution and proceeded to change the ownership credentials of a large company. The information was modified to present an "intermediary" as a shareholder of the company, displaying its own identity.
"The attacks on financial institutions revealed by 2015 show a worrying trend: Digital criminals adopt tactics similar to those of APT attacks. The Carbanak gang was only the first of many to see. Today, digital criminals are quickly learning how to use new techniques in their activities, while many criminal groups shift their interest in targeting users to direct attacks on banks. Their logic is simple: there is the money, warns Sergey Golovanov. "Our goal is to highlight how and where, in particular, threatening agents can strike to seize your money. Following the GCMAN gang attack, we expect to see if the web banking servers are protected. As far as Carbanak is concerned, it is up to businesses to strengthen the protection of the database containing information on account owners, not just bank balances, he added.
Kaspersky Lab products detect and block the malware used for the Carbanak 2.0, Metel, and GCMAN campaigns. The company will also launch a series of Critical Infringement Indicators and other data to help organizations look for traces of these gangs in their corporate networks. More information is available at: https://securelist.com/blog/research/73638/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/.
Following the latest developments, Kaspersky Lab calls on all organizations to carefully monitor their networks for the presence of Carbanak, Metel and GCMAN. In case of detection, the organizations are called upon to remove the "contamination" from their systems and report the invasion to the prosecuting authorities.
