Acalvio Logo

Carbanak has been at war with financial institutions for about five years now

We expect this war to continue and escalate. Carbanak is, of course, the devastatingly powerful banking trojan that has plagued financial institutions since approximately 2014. Carbanak’s primary attack vector via phishing email is just the first link in a long chain that allowed the criminal perpetrators of Carbanak to completely compromise the banking application systems and automated teller machine networks (ATMs) of many banks and financial institutions in the United States, Russia, Germany, Ukraine, China, and other countries.

FireEye’s analysis and testing of the Carbanak source code

Recently FireEye released a series of four blogs on their analysis of Carbanak, more specifically the complete set of Carbanak source code of which they obtained a copy. FireEye’s analysis and testing of the Carbanak source code were quite unusual in that not only did they have an opportunity to analyze the binary, but they were also able to review the full set of Carbanak source code, no doubt of recent vintage. The source code distribution included over “20MB comprising 755 files, with 39 binaries and 100,000 lines of code.”

The results of the analysis were, in some ways, startling. Even the source code itself included a multitude of anti-analysis tactics which “provided to be just as difficult as analyzing the binary, if not more so.” FireEye found that Carbanak identified the latest releases of many Anti-Virus (AV) suppliers which it then turns off, or evades, so as to avoid detection with apparent ease. The Carbanak source code itself seems to be a Gordian Knot of massive proportions.

Banking systems and procedures were compromised

Consider the power of Carbanak as initially discovered and documented by Kaspersky. Once the banking systems and procedures were compromised and understood, Carbanak allowed cyber thieves in one corner of the world, to instruct ATMs to dispense cash without any interaction with the ATM front panel. Locally recruited criminal talent would collect the money from the ATMs, and then disburse it back through a series of financial transactions to the Carbanak criminal cyber team. Their capabilities have demonstrated that they can modify existing bank databases and increase the balance on existing accounts by the amounts which they sought to remove. To the bank account user, their original balance remains unchanged, and hence, they see no problem nor fraud to report. Carbanak to this day remains an accounting nightmare. The forensic clean-up after such an attack is extensive requiring both forensic cybersecurity engineers and a cadre of accountants to trace various activities, unwind bogus transactions, and restore correct account balances.

The cybercriminal team behind Carbanak, as well as the capabilities of the Carbanak tools and software they have developed, are now shown to be, perhaps equivalent in sophistication and capability to those nefarious tools produced by any nation-state funded and supported hacking team. This team of attackers has a very deep level of knowledge of banking application systems, banking internal procedures, and the detailed operation of automated teller machine (ATM) networks including the base level programming for individual ATM machines, by make, and by model. This is not the work of a handful of programmers – the Carbanak code base strongly suggests the work of a large, well-funded, and highly knowledgeable team of cybersecurity engineers and banking application programmers. This highly competent criminal team is working full-time to disrupt financial operations, steal your customer data, and divert your funds.

Taking a step back, if you are a software developer, think about the last time you worked on an application with over 100,000 lines of code. How many people worked to develop, debug, document, test, and distribute that application? Quite a few, no doubt. I am quite sure that the documentation you developed, and the code you created was designed to make clear the functionality of the application itself. Not obfuscate it~!

The most important lesson here is that the well-funded forces that created Carbanak will penetrate your network. They present a level of sophistication that will meet (and defeat) most of your standard security controls. They will step around these cyber defenses with ease and move through your network. Every movement they make, and every technique they deploy, is designed to eliminate detection.

Deception technology presents a unique conundrum for the Carbanak attackers

In sharp contrast, deception technology presents a unique conundrum for the Carbanak attackers, and for other criminal cadres of equal sophistication. Reconnaissance is an essential part of the Cyber Kill Chain that an attacker will deploy. The very lightest touch of reconnaissance upon the deception technology decoy produces a 100% integrity alert at the most severe urgency. No one should be touching the deception decoy. The remarkable efficacy of deception gives you the ability to stop attacks such as Carbanak, during their early activities within your network, and hopefully before they can divert funds and account data.

Acalvio deception technology is optimized to protect banking and financial networks and can overcome almost all of the weaknesses inherent in your current security architecture. The deception technology decoys in ShadowPlex are interspersed within your network and will constantly be in the way of attacker reconnaissance. Every way they turn, attackers will face the high probability of detection. At any point in time when they touch a deception decoy, Acalvio will identify them at high certainty. We will then issue a very high integrity alert for action by your SOC team responders.

To find out more about ShadowPlex, please review our resource page here. or contact us for a free trial. We’d be delighted to share more about our technology and how it can help secure your banking, financial, and insurance networks.