2 min read

An APT Blueprint: Gaining New Visibility into Financial Threats

Liviu ARSENE

June 04, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
An APT Blueprint: Gaining New Visibility into Financial Threats

This new Bitdefender forensic investigation reveals a complete attack timeline and behavior of a notorious financial cybercriminal group, known as Carbanak.

In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.

While most forensic investigations focus on offering a highly technical analysis of the payloads used by the Carbanak group, Bitdefender’s investigation offers a complete timeline of events, from the moment the email reached the victim’s inbox to the moment of the heist.

Carbanak is one of the most prolific APT-style cyberattacks, specifically targeting the financial sector. Discovered in 2014, the campaign quickly gained notoriety after compromising the security systems of 100 banks in 40 countries and stealing up to $1 billion in the process. Banks in countries such as Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia have allegedly been targeted with spear-phishing emails, luring victims into clicking malicious URLs and executing booby-trapped documents.

The same group is believed to have also been using the Cobalt Strike framework to run sophisticated campaigns, plotting and performing financial heists of financial institutions. Following an investigation led by law enforcement in cooperation with cybersecurity companies, the leader of the group was apprehended in Alicante, Spain, on March 26th, 2018.

Bitdefender’s forensic analysis revealed some key compromise tactics:

  • Financial institutions in Eastern Europe remain the primary focus of the criminal group, which uses spear phishing as the main attack vector
  • The presence of Cobalt Strike hacking tools is the key indicator that the financial institutions were targeted by the Carbanak cyber-criminal gang
  • In the reconnaissance phase, data related to banking applications and internal procedures was collected and prepared for exfiltration, to be used for the final stage of the attack
  • Infrastructure reconnaissance mainly occurred after business hours or on weekends to avoid triggering security alarms
  • It only took attackers a couple hours from initial compromise to fully establish foothold and lateral movement, showing experience, knowledge and coordination
  • The final goal of the targeted attack was to compromise the ATM networks, potentially to cash out at ATMs in a coordinated physical and infrastructure criminal operation

Want to learn more? Download the full paper below:

Download the whitepaper

tags


Author



Right now

Top posts

A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand

November 08, 2021

2 min read
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware

September 16, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Under Siege for Months: the Anatomy of an Industrial Espionage Operation Under Siege for Months: the Anatomy of an Industrial Espionage Operation
Alexandru MAXIMCIUCVictor VRABIE
1 min read
New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike
Filip TRUȚĂRăzvan GOSAAdrian Mihai GOZOB
4 min read
New FluBot and TeaBot Global Malware Campaigns Discovered New FluBot and TeaBot Global Malware Campaigns Discovered
Bitdefender

January 26, 2022

10 min read