Carbanak Banking Trojan is back, with new features and more geographical targets

A new variant of the Carbanak banking Trojan has been identified targeting large corporations in Europe and the US through spear-phishing campaigns, according to researchers at the Copenhagen-based CSIS Security Group.

The new variant also reportedly focuses on more geographical targets; features a new proprietary protocol; and uses random files, mutexes, and a predefined IP address rather than various domains.

Moreover, the new variant is digitally signed through certificate provider Comodo. The registration information indicates that the signer is a company named Blik, which is based in Moscow. Its stated primary business activity is "Other wholesale”. CSIS has speculated that the company’s main purpose is to receive money from fraudulent transactions. Given that Carbanak-related money transfers run in the millions of dollars, the Carbanak gang could have registered a company and opened bank accounts specifically for receiving the stolen money while maintaining full control of the transactions.

The Carbanak group first made headlines in February this year when Kaspersky Lab released a report saying that the group had successfully infiltrated over 100 financial institutions to steal more than US$1 billion over two years.

The attackers supposedly gained access to corporate networks by sending spear-phishing emails containing malicious .cpl or .doc attachments to bank employees of more than 100 banks across Europe, China, and Russia. The attachments then opened a Carbanak back door (detected by Symantec as Trojan.Carberp), which enabled attackers to install other components that allowed them access to the banks’ networks.