Carbanak, Anunak

Description

Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.

(Kaspersky) From late 2013 onwards, several banks and financial institutions have been attacked by an unknown group of cybercriminals. In all these attacks, a similar modus operandi was used. According to victims and the law enforcement agencies (LEAs) involved in the investigation, this could result in cumulative losses of up to 1 billion USD. The attacks are still active. This report provides a technical analysis of these attacks. The motivation for the attackers, who are making use of techniques commonly seen in Advanced Persistent Threats (APTs), appears to be financial gain as opposed to espionage. An analysis of the campaign has revealed that the initial infections were achieved using spear phishing emails that appeared to be legitimate banking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files attached. We believe that the attackers also redirected to exploit kits website traffic that related to financial activity.

Names

Name	Name-Giver
Carbanak	Kaspersky
Anunak	Group-IB
Carbon Spider	CrowdStrike
Gold Waterfall	SecureWorks
ELBRUS	Microsoft
Sangria Tempest	Microsoft

Country

• Ukraine

Motivation

• Financial crime
• Financial gain

First Seen

2013

Observed Sectors

• Energy
• Financial
• Food and Agriculture
• Healthcare
• Hospitality

Observed Countries

• Australia
• Austria
• Brazil
• Bulgaria
• Canada
• China
• Czech
• France
• Germany
• Hong Kong
• Iceland
• India
• Luxembourg
• Morocco
• Nepal
• Norway
• Pakistan
• Poland
• Russia
• Spain
• Sweden
• Switzerland
• Taiwan
• UK
• Ukraine
• USA
• Uzbekistan

Tools

• Antak
• Ave Maria
• BABYMETAL
• Backdoor Batel
• Bateleur
• BELLHOP
• BlackMatter
• Boostwrite
• Cain & Abel
• Carbanak
• Cobalt Strike
• Clop
• DarkSide
• DNSMessenger
• DNSRat
• DRIFTPIN
• FlawedAmmyy
• FOXGRABBER
• Griffon
• HALFBAKED
• JS Flash
• KLRD
• Mimikatz
• MBR Eraser
• Odinaff
• POWERPIPE
• POWERSOURCE
• PsExec
• SocksBot
• SoftPerfect Network Scanner
• SQLRAT
• TeamViewer
• TinyMet
• WARPRISM

Operations

• 2020-08: DarkSide: New targeted ransomware demands million dollar ransoms https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/
• 2020-08: DarkSide Ransomware hits North American real estate developer https://www.bleepingcomputer.com/news/security/darkside-ransomware-hits-north-american-real-estate-developer/
• 2020-10: Ransomware gang donates part of ransom demands to charity organizations https://www.zdnet.com/article/ransomware-gang-donates-part-of-ransom-demands-to-charity-organizations/
• 2020-11: Darkside Ransomware Gang Launches Affiliate Program https://www.bankinfosecurity.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968
• 2020-11: DarkSide Ransomware Group Makes New Storage System https://www.binarydefense.com/threat_watch/darkside-ransomware-group-makes-new-storage-system/
• 2021-02: Leading Canadian rental car company hit by DarkSide ransomware https://www.bleepingcomputer.com/news/security/leading-canadian-rental-car-company-hit-by-darkside-ransomware/
• 2021-02: Eletrobras, Copel energy companies hit by ransomware attacks https://www.bleepingcomputer.com/news/security/eletrobras-copel-energy-companies-hit-by-ransomware-attacks/
• 2021-02: Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
• 2021-03: Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/
• 2021-03: CompuCom MSP hit by DarkSide ransomware cyberattack https://www.bleepingcomputer.com/news/security/compucom-msp-hit-by-darkside-ransomware-cyberattack/
• 2021-04: Canadian retailer Home Hardware hit by ransomware https://financialpost.com/technology/tech-news/canadian-retailer-home-hardware-hit-by-ransomware
• 2021-04: Ransomware gang wants to short the stock price of their victims https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/
• 2021-04: US chemical distributor shares info on DarkSide ransomware data theft https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/
• 2021-04: Fashion retailer Guess discloses data breach after ransomware attack https://www.bleepingcomputer.com/news/security/fashion-retailer-guess-discloses-data-breach-after-ransomware-attack/
• 2021-05: A Toshiba business unit says it has been attacked by hacking group DarkSide https://www.cnbc.com/2021/05/14/toshiba-business-unit-says-it-has-been-hacked-by-darkside-reuters.html
• 2021-05: Chemical distributor pays $4.4 million to DarkSide ransomware https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
• 2021-05: Largest U.S. pipeline shuts down operations after ransomware attack https://www.bleepingcomputer.com/news/security/largest-us-pipeline-shuts-down-operations-after-ransomware-attack/
• 2021-07: BlackMatter ransomware targets companies with revenue of $100 million and more https://therecord.media/blackmatter-ransomware-targets-companies-with-revenues-of-100-million-and-more/
• 2021-08: Linux version of BlackMatter ransomware targets VMware ESXi servers https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/
• 2021-08: FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/
• 2021-09: BlackMatter ransomware hits medical technology giant Olympus https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-hits-medical-technology-giant-olympus/
• 2021-09: US farmer cooperative hit by $5.9M BlackMatter ransomware attack https://www.bleepingcomputer.com/news/security/us-farmer-cooperative-hit-by-59m-blackmatter-ransomware-attack/
• 2021-09: Marketron marketing services hit by Blackmatter ransomware https://www.bleepingcomputer.com/news/security/marketron-marketing-services-hit-by-blackmatter-ransomware/
• 2021-10: DarkSide ransomware gang moves some of its Bitcoin after REvil got hit by law enforcement https://therecord.media/darkside-ransomware-gang-moves-some-of-its-bitcoin-after-revil-got-hit-by-law-enforcement/
• 2021-11: BlackMatter: New Data Exfiltration Tool Used in Attacks https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackmatter-data-exfiltration
• 2021-11: BlackMatter ransomware moves victims to LockBit after shutdown https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-moves-victims-to-lockbit-after-shutdown/
• 2023-04: Microsoft: Notorious FIN7 hackers return in Clop ransomware attacks https://www.bleepingcomputer.com/news/security/microsoft-notorious-fin7-hackers-return-in-clop-ransomware-attacks/

Counter Operations

• 2018-03: Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
• 2018-08: Three Carbanak cyber heist gang members arrested https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested
• 2021-05: Darkside ransomware gang says it lost control of its servers & money a day after Biden threat https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
• 2021-07: Dutch police confiscate DarkSide server https://cyberthreatintelligence.com/news/dutch-police-confiscate-darkside-server/
• 2021-11: BlackMatter ransomware says its shutting down due to pressure from local authorities https://therecord.media/blackmatter-ransomware-says-its-shutting-down-due-to-pressure-from-local-authorities/
• 2021-11: US offers $10 million reward for info on Darkside ransomware group https://therecord.media/us-offers-10-million-reward-for-info-on-darkside-ransomware-group/

Information

• https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
• https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf
• https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
• https://www.databreaches.net/a-chat-with-darkside/

Mitre Attack

• https://attack.mitre.org/groups/G0008/

Other Information

Uuid

e5869096-4b2d-406d-b8d1-713eda321457

Last Card Change

2023-06-21