The Spanish National Police has arrested the leader of a criminal group responsible for developing sophisticated banking malware including Cobalt and Carbanak.

On 26 March, EUROPOL announced the arrest of the yet-unnamed computer criminal mastermind in Alicante, Spain. That individual is responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.

The criminal operation has been in operation since at least 2013. In its first year alone, the group targeted 50 Russian financial institutions and five payment systems, stealing over one billion rubles ($17 million) in the process. It perpetrated these heists using a sophisticated piece of malware called Anunak.

Some time later, the computer criminals developed an even more advanced threat called Carbanak. They used this malware to steal one billion dollars in what many described at the time as the “most sophisticated attack the world has seen.”

The group then evolved once again to conduct customized malware campaigns using the Cobalt Strike penetration tool. In these operations, the bad actors use numerous tactics, techniques and procedures (TTPs), including spoofed Securities and Exchange Commission (SEC) emails and the exploitation of a 17-year-old Microsoft vulnerability.

Most of the group’s campaigns involve the use of spear-phishing emails as an attack vector. Upon successful infection by Anunak, Carbanak or Cobalt Strike, the attackers infect other parts of a target institution’s network in an effort to gain control of its servers and ATM processes. With that level of access, the nefarious individuals authorize fraudulent bank transfers, raise the balances of money mule accounts or command affected ATMs to spit out the money for them. They then take the money and convert it into cryptocurrencies.

Here’s an infographic with more on how the group operates:

The arrest by the Spanish National Police is the (Read more...)