An APT Blueprint: Gaining New Visibility into Financial Threats

This new Bitdefender
forensic investigation reveals a complete attack timeline and behavior of a
notorious financial cybercriminal group, known as Carbanak.

In mid-2018, Bitdefender
researchers investigated a targeted attack on an Eastern European financial
institution, gaining new insights and creating a complete event timeline
showing how the infamous group Carbanak infiltrates organizations, how it moves
laterally across the infrastructure, and the time it takes to set up the actual

While most forensic
investigations focus on offering a highly technical analysis of the payloads
used by the Carbanak group, Bitdefender’s
investigation offers a complete timeline of events, from the moment the email
reached the victim’s inbox to the moment of the heist

Carbanak is one of the
most prolific APT-style cyberattacks, specifically targeting the financial
sector. Discovered in 2014, the campaign quickly gained notoriety after compromising
the security systems of 100 banks in 40
countries and stealing up to $1 billion
in the process. Banks in countries
such as Russia, the United Kingdom, the Netherlands, Spain, Romania, Belarus,
Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and
Malaysia have allegedly been targeted with spear-phishing emails, luring
victims into clicking malicious URLs and executing booby-trapped documents.

The same group is believed to have
also been using the Cobalt Strike framework
to run sophisticated campaigns, plotting and performing financial
heists of financial institutions. Following an investigation led by law
enforcement in cooperation with cybersecurity companies, the leader of the group was apprehended in Alicante, Spain, on March
26th, 2018

Bitdefender’s forensic
analysis revealed some key compromise tactics:

  • Financial
    institutions in Eastern Europe remain the primary focus of the criminal group,
    which uses spear phishing as the main attack vector
  • The
    presence of Cobalt Strike hacking tools is the key indicator that the financial
    institutions were targeted by the Carbanak cyber-criminal gang
  • In
    the reconnaissance phase, data related to banking applications and internal
    procedures was collected and prepared for exfiltration, to be used for the
    final stage of the attack
  • Infrastructure
    reconnaissance mainly occurred after business hours or on weekends to avoid
    triggering security alarms
  • It
    only took attackers a couple hours from initial compromise to fully established
    foothold and lateral movement, showing experience, knowledge and coordination
  • The
    final goal of the targeted attack was to compromise the ATM networks,
    potentially to cash out at ATMs in a coordinated physical and infrastructure
    criminal operation

Want to learn more? Download the full paper below:

An APT Blueprint: Gaining New Visibility into Financial Threats

*** This is a Security Bloggers Network syndicated blog from Bitdefender Labs authored by Liviu Arsene. Read the original post at: