2 min read

An APT Blueprint: Gaining New Visibility into Financial Threats

Liviu ARSENE

June 04, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
An APT Blueprint: Gaining New Visibility into Financial Threats

This new Bitdefender forensic investigation reveals a complete attack timeline and behavior of a notorious financial cybercriminal group, known as Carbanak.

In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.

While most forensic investigations focus on offering a highly technical analysis of the payloads used by the Carbanak group, Bitdefender’s investigation offers a complete timeline of events, from the moment the email reached the victim’s inbox to the moment of the heist.

Carbanak is one of the most prolific APT-style cyberattacks, specifically targeting the financial sector. Discovered in 2014, the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process. Banks in countries such as Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia have allegedly been targeted with spear-phishing emails, luring victims into clicking malicious URLs and executing booby-trapped documents.

The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns, plotting and performing financial heists of financial institutions. Following an investigation led by law enforcement in cooperation with cybersecurity companies, the leader of the group was apprehended in Alicante, Spain, on March 26th, 2018.

Bitdefender’s forensic analysis revealed some key compromise tactics:

  • Financial institutions in Eastern Europe remain the primary focus of the criminal group, which uses spear phishing as the main attack vector
  • The presence of Cobalt Strike hacking tools is the key indicator that the financial institutions were targeted by the Carbanak cyber-criminal gang
  • In the reconnaissance phase, data related to banking applications and internal procedures was collected and prepared for exfiltration, to be used for the final stage of the attack
  • Infrastructure reconnaissance mainly occurred after business hours or on weekends to avoid triggering security alarms
  • It only took attackers a couple hours from initial compromise to fully establish foothold and lateral movement, showing experience, knowledge and coordination
  • The final goal of the targeted attack was to compromise the ATM networks, potentially to cash out at ATMs in a coordinated physical and infrastructure criminal operation

Want to learn more? Download the full paper below:

Download the whitepaper

tags


Author



Right now

Top posts

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

LuminousMoth – PlugX, File Exfiltration and Persistence Revisited

July 21, 2021

9 min read
How We Tracked a Threat Group Running an Active Cryptojacking Campaign

How We Tracked a Threat Group Running an Active Cryptojacking Campaign

July 14, 2021

10 min read
A Note from the Bitdefender Labs Team on Ransomware and Decryptors

A Note from the Bitdefender Labs Team on Ransomware and Decryptors

May 26, 2021

2 min read
New Nebulae Backdoor Linked with the NAIKON Group

New Nebulae Backdoor Linked with the NAIKON Group

April 28, 2021

1 min read
Good riddance, GandCrab! We’re still fixing the mess you left behind.

Good riddance, GandCrab! We’re still fixing the mess you left behind.

June 17, 2019

5 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Digitally-Signed Rootkits
are Back – A Look at
FiveSys and Companions Digitally-Signed Rootkits are Back – A Look at FiveSys and Companions
Bitdefender

October 20, 2021

1 min read
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
Bogdan BOTEZATUVictor VRABIE
9 min read
Debugging MosaicLoader, One Step at a Time Debugging MosaicLoader, One Step at a Time
Janos Gergo SZELESBogdan BOTEZATU
1 min read