Multiple banks attacked by Carbanak-linked group

The attacks are extremely focused on organizations operating in the banking, securities, trading, and payroll sectors but organizations that provide support services to these industries are also at risk. There were a small number of attacks against organizations in the securities, legal, healthcare, government and government services.

Nick Savvides, Security Expert, Symantec, said, “The financial services industry, both globally and within Australia, continues to be a top target for cybercriminals. Attacks involving Odinaff began in January 2016 and have hit a wide range of regions, with the US the most frequently targeted, followed by Hong Kong and Australia.  This attack is specifically built for multi-stage usage, targeting the whole financial chain and users in different businesses.”

“Cybercriminals are using knowledge of the way banks and their partner’s internal processes work, to make smarter tools that target specific operations that maximise theft and minimise the risk of detection. Threats like Odinaff require lots of manual work, with a high a level of skill and operational discipline to keep under the radar, but robbing banks has never been more lucrative. Losses in these recent attacks are in the hundreds of millions of dollars, all without a shot fired or safe cracked,” he added.

{loadposition ray}

Symantec  calls the malware Trojan.Odinaff. It typically attacks via spear phishing campaign containing a malicious Office document macro and it opens a back door in Windows-based clients that then communicate with a command and control (C&C) server.

Another attack vector involves the use of password protected RAR archives.

Odinaff is typically deployed in the first stage of an attack, to gain a foothold onto the network, providing a persistent presence and the ability to install additional tools onto the target network. These additional tools indicate a sophisticated attacker which has plagued the financial industry since at least 2013–Carbanak. This new wave of attacks has also used some infrastructure that has previously been used in Carbanak campaigns.

These attacks require a lot of hands-on involvement, with the methodical deployment of a range of lightweight back doors and purpose built tools onto computers of specific interest. There appears to be a heavy investment in the coordination, development, deployment, and operation of these tools during the attacks. Custom malware tools, purpose built for stealthy communications (Backdoor.Batel), network discovery, credential stealing, and monitoring of employee activity are deployed.

Aside from the similar modus operandi, there are some other links between Carbanak and Odinaff:

• There are three command and control (C&C) IP addresses which have been connected to previously reported Carbanak campaigns.
• One IP address used by Odinaff was mentioned in connection with the Oracle MICROS breach, which was attributed to the Carbanak group.
• Backdoor.Batel has been involved in multiple Carbanak incidents

The attackers make extensive use of a range of lightweight hacking tools and legitimate software tools to traverse the network and identify key computers. This include:

• Mimikatz, an open source password recovery tool
• PsExec, a process execution tool from SysInternals
• Netscan, a network scanning tool
• Ammyy Admin (Remacc.Ammyy) and Remote Manipulator System variants (Backdoor.Gussdoor)
• Runas, a tool for running processes as another user.
• PowerShell

The group also appears to have developed malware designed to compromise specific computers. The build times for these tools were very close to the time of deployment. Among them were components capable of taking screenshot images at intervals of between five and 30 seconds.