Kaspersky reveals more details about how Carbanak exploits banks' systems

Malware identifies funds transfer software on PCs and sends keystrokes and screenshots every 20 seconds

Kaspersky has released more details about the "bank heist" in which cyber thieves are thought to have stolen as much as $1bn.

The targeted financial institutions were all compromised via spear-phishing attacks - emails were sent to the organisations containing malware, which installed itself when the recipient double-clicked on the attachment. The attachments, meanwhile, were typically Microsoft Word 97-2003 (.doc) files or Windows Control Panel (CPL) files. The doc files exploited known flaws in both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761). CPL files were typically compressed using the Roshal Archive (.rar) format, which would have obfuscated the malware.

According to Kaspersky, there is evidence to suggest that the attackers originate from China, rather than Russia, with the command-and-control servers located in China and registration information for some of the domains supposedly including Chinese citizens. "Obviously, all this could just be a red herring," adds the report.

However, the targeted organisations were mostly Russian and the attachments in the spear-phishing emails were designed to induce employees to open them. "Examples include 'Соответствие ФЗ-115' and 'Приглашение' which translate into 'Accordance to Federal Law' and 'Invitation', respectively. This is enough to induce a typical employee to open the attachment and execute the malware," claims the report.

It adds: "Once the remote code execution vulnerability is successfully exploited, it installs Carbanak on the victim's system... An additional infection vector that we believe was used by the criminals is a classical drive-by-download attack. We have found traces of the Null and the RedKit exploits kits."

Carbanak - or Anunak, the name given by Fox-IT and Groupe-IB - is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear-phishing email or exploit kit, successfully executes its payload.

Carbanak copies itself into "%system32%\com" with the name "svchost.exe", to disguise itself as just another standard Windows system process, with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted, claims Kaspersky. To ensure that Carbanak has autorun privileges, the malware creates a new service with a naming syntax similar to an existing Windows service.

According to Kaspersky, the malware uses a Mozilla Firefox folder in order to save files to be sent to the command and control server when an internet connection is detected, and one of the ways in which its presence can be found is by looking for .bin files in the "C:\Users\All Users\Mozilla" folder.

Once the system is infected, Carbanak logs keystrokes and takes screenshots every 20 seconds. If Carbanak detects the banking application BLIZKO funds transfer software on the infected computer, it sends a special notification to its C2 server. Carbanak is also aware of the IFOBS banking application and can, on command, substitute the details of payment documents in the IFOBS system.

According to Kaspersky, 52 victims of Carbanak were in Russia with only seven in China, the next worst affected country. Ukraine and Uzbekistan registered two infections each and the UK one. The first submissions of Carbanak to VirusTotal happened in April 2014, but reported infections started to spike from June, peaking in September.