Kaspersky confirms return of Carbanak and two more banking APT groups

Kaspersky has confirmed the return of Carbanak as Carbanak 2.0 and uncovered two more groups working in the same style: Metel and GCMAN.

Russian Bank
Russian Bank

The news comes a year after Kaspersky Lab warned that cyber-criminals would start to adopt the tools and tactics of nation-state backed APTs in order to rob banks and attack financial organisations. Carbanak 2.0 marks the re-emergence of the Carbanak advanced persistent threat (APT), with the same tools and techniques but a different victim profile and innovative ways to cash out.

Using customised malware along with legitimate software is just one of the new schemes to cash out in use by the Metel cyber-criminal group. By gaining control over machines inside a bank that have access to money transactions (eg, the bank's call centre/support computers) the gang can automate the rollback of ATM transactions.

The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions undertaken.

The criminal group steals money by driving around cities in Russia at night and emptying ATM machines belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. In the space of just one night they manage to cash out.

During the forensic investigation, Kaspersky Lab reports that Metel operators achieve their initial infection through specially crafted spear-phishing emails with malicious attachments, and through the Niteris exploit pack, targeting vulnerabilities in the victim's browser.

The Metel group remains active and the investigation into its activities is ongoing. So far no attacks outside Russia have been identified. Still, there are grounds to suspect that the infection is much more widespread, and banks around the world are advised to proactively check for infection.

Likewise, GCMAN were observed by Kaspersky Lab to use Putty, VNC, and Meterpreter utilities to move laterally through the network until the attackers reached a machine which could be used to transfer money to e-currency services without alerting other banking systems.

In one particular case, the group  stayed in the network for one-and-a-half years. Money was being transferred in sums of about $200, the upper limit for anonymous payments in Russia.

Every minute, the CRON scheduler fired a malicious script, and another sum was transferred to an e-currency account belonging to a money mule. The transaction orders were sent directly to the bank's upstream payment gateway and did not show up anywhere in the bank's internal systems.

Sergey Golovanov, malware expert at Kaspersky Lab commented: “Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cyber-criminals aggressively embracing APT-style attacks. The Carbanak gang was just the first of many: cyber-criminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly. Their logic is simple: that's where the money is.”