In a blog post published late on Friday, Trend Micro senior threat researcher Maxim Goncharov detailed how the domain name systemsvc.net, which has previously been identified as the command and control (C&C) in the Carbanak indicator of compromise (IOC) report, now serves to the 220.127.116.11 IP address. When he checked this address, the researcher found that the IP is under ASN8342 RTCOMM-AS OJSC RTComm.RU with the identified location of Moscow City, under the Federal Security Service of Russian Federation.
However, he stopped short of saying this was clear evidence of Kremlin involvement, instead suggesting that this may have been done as a prank.
“I still do not know why it happened,” he said of the change. “I do not really think that FSB Russia would point the Carbanak-related domain to an IP address which is affiliated with the Russian Federal Security Service. It is also possible that the owner of the domain has done this as a prank.”
Kaspersky Lab detailed the existence of Carbanak back in February, revealing how the criminal group was able to hit 100 banks and financial organisations across 30 countries from late 2013, stealing around US$ 1 billion (GBP £650 million) in the process.
This Advanced Persistent Threat (APT) attack seemed to revolve around the use of spear-phishing email and exploit kits, as is common in targeted attacks. Attackers also did intelligence gathering about their target networks before the attack. Dutch security vendor Fox-IT says that the malware used in the Carbanak campaign is also known as ‘Anunak'.
Palo Alto Networks later disputed the ‘sophistication' of this attack, saying that the group was largely following the usual methods of spear-phishing weaponised documents leveraging Office vulnerabilities, then followed up by “backdoor drop, malware download, lateral movement, server compromise and data exfiltration.”
However, the firm's Mike Langley, regional VP of Western Europe and South Africa, did say that this was the first time such methods had been used in cyber-espionage campaigns, where the goal is stealing information, and added that attackers did demonstrate a ‘thorough' knowledge of financial services software and networks.
Langley added that this was, however, the first time these methods had been used in cyber-espionage campaigns, where aim is information, large scale stealing, and attackers ‘thorough' knowledge in financial services software and networks,
“If we look at how that initial foothold was gained, however, we don't find anything ‘sophisticated',” said Langley of the initial compromise. “The attackers have sent spear-phishing emails to the victims, weaponised with exploits of Office vulnerabilities (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761).”