Source Code for CARBANAK Banking Malware Found On VirusTotal

April 30, 2019
CARBANAK Banking Malware

What do we know about Carbanak malware

As we all know Carbanak has its impressive portfolio holding in its reputation, considering it as the leading player for Advanced Threat Protection attack and believed to be one of the successful attack in the world used entirely for banks, financial institutions, hospitals, and restaurants. First seen on threat landscape on 2014 used by organized cybercriminals and  one significant reason why its stay undetected it’s because this malware has constantly evolving tactics . First thought to be related to Carnabak trojan as first rumored to be spotted July of 2018 however, found distinct.

What should we alarmed about

Major shocking revelation revealed that VirusTotal malware scanning engine was compromised and found bearing Russian IP address with Carnabanks’ source code with the size of 20mb comprises of 755 files, builders, and unknown plugins in two archive files. Cobal-strike were developed and used primarily for this operations.

How Carnabak was launched

  • Actors bought access to bank compromised computers.
  • Cybercrime vendors who run immense botnet sell access to wide selection of affected zombies from other countries.
  • A quick search for user’s email domain can reveal the employees company.
  • Targeting bank system thru backdoor channel.
  • Threat actors sent malicous spear-phishing emails to numerous bank employees on different banks via affected endpoints.
  • Emails contained exploit-laden attachments that downloaded trojan into the employees endpoint.
  • Compromised banks’ will then be under closed watch, having them view on regular video- and screen-capture feeds, the malware grabbed and transmitted back to the attackers.
  • Banking daily operations including staffs stolen credentials are studied and planned for the so called D-Day.
  • Keyloggers and data-stealing malware capabilities provided the hostile watch team wil eventually launch the next phase of attack.
  • Mixed of multi-channel fraud that abused both online and physical system from within the banks’ service ports.
  • Physical ATMs will disperse cash as gang’s mules were there to pick it up.
  • Compromised Database with created fraudulent accounts, issued cards and modified account balances to wire out more cash.

How can we foil this attack

As we always suggest multi-layered defense mechanism to safe guard both corporate endpoints and internal systems against this type of advanced malware and we can’t deny the fact that social engineering awareness would have a tremendous impact , considering it requires less effort and requires no monitary involvement.


About the author

Leave a Reply