The activities of Carbanak, also known as Anunak, came to light in February 2015, when Kaspersky Lab revealed that the group had stolen as much as $1 billion from 100 banks in Russia and many other countries. The cybercrime ring’s activities ceased for roughly five months after Kaspersky published its report.
In September 2015, Denmark-based CSIS Security Group reported that the attackers had created a new version of the Carbanak malware, which they had been using to target major organizations. In February, one year after its initial report on Carbanak, Kaspersky said it spotted new APT-style attacks targeting not only banks, but also the budgeting and accounting departments of other types of companies.
On Monday, Proofpoint reported observing a campaign aimed at Middle Eastern countries such as the United Arab Emirates, Kuwait, Lebanon and Yemen. The attackers seem to be targeting high-level executives, directors, senior managers, and regional and operations managers at banks, financial organizations, enterprise software firms, and professional services companies.
The targets are sent a spear phishing email containing a URL that points to a malicious document designed to exploit an old Office vulnerability (CVE-2015-2545) in order to drop and execute a malware downloader (MSIL/JScript). The downloader then drops the Carbanak payload identified as Spy.Sekur.
In addition to Spy.Sekur, attackers have also sent out emails containing links to a Java-based remote access Trojan (RAT) known as jRAT, which allows attackers to chat with victims, manage files, log keystrokes, manage processes, copy data from the clipboard, capture images via the webcam, record audio, modify registry entries, and shut down or reboot the infected device.
A different campaign monitored by Proofpoint appears to be aimed at the employees of US- and Europe-based companies in the financial and mass media sectors, and apparently unrelated targets specializing in fire, safety and HVAC. The targets are mainly account managers, credit controllers and IT support workers.
In these attacks, the Carbanak gang sent out emails containing malicious Word documents which rely on macros to deliver Spy.Sekur to victims. The server hosting Spy.Sekur was also found to store a variant of the Netwire malware, although this threat has not been seen in any of the email attacks.
Experts have also found possible links between Carbanak and threats such as Cybergate, MorphineRAT and DarkComet.
According to Proofpoint, most of the malicious emails were sent to organizations in the United States (17.7 percent), followed by Oman, Australia, UAE, Kuwait, Pakistan, the Netherlands and Germany.
Proofpoint picked up on the targeted emails in early March. Since the last major Carbanak heist was estimated to take 3-4 months since the initial infections, experts believe that these attacks could represent the early stages of new campaigns.