Carbanak Banking malware resurfaces with new ransomware tactics

Carbanak Banking Malware

The banking malware known as carbanak It has been observed being used in ransomware attacks with updated tactics.

“The malware has adapted to integrate attack vendors and techniques to diversify its effectiveness,” says cybersecurity firm NCC Group said in an analysis of ransomware attacks that occurred in November 2023.

“Carbanak returned last month through new distribution chains and has been distributed via compromised websites to mimic various proprietary software.”

Some of the imitated tools include popular business-related software such as HubSpot, Veeam and Xero.

carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control functions. It started as a banking malware and has now been adopted by the cybercrime syndicate FIN7.

In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious setup files that masquerade as legitimate tools to trigger Carbanak deployment.

This development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported this year, which is “less than 1,000 incidents fewer than the total for 2021 and 2022 combined.” 5,198).”

The company’s data shows that industrial (33%), consumer cyclical (18%) and healthcare (11%) emerged as the most targeted sectors, while North America (50%), Europe ( 30%) and Asia (10%) account for the most attacks.

Among the most common ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of the 442 attacks. With BlackCat having been dismantled by authorities this month, it remains to be seen what impact this move will have on the threat landscape in the near future.

“With one month of the year left, the total number of attacks has surpassed 4,000, marking a huge increase over 2021 and 2022, so it will be interesting to see if ransomware levels continue to rise next year,” Matt Hull, Global Head of Threat Intelligence at NCC Group, said.

The spike in ransomware attacks in November is also confirmed by cyber insurance company Corvus, which says it has identified 484 new ransomware victims posted on leak sites.

“The ransomware ecosystem as a whole has successfully pivoted away from QBot,” the company said said. “Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups.”

While the shift is the result of a law enforcement takedown of QBot’s (also known as QakBot) infrastructure, Microsoft last week disclosed details of a low-volume phishing campaign that distributed the malware, underscoring the challenges in the complete dismantling of these groups.

The development comes as Kaspersky revealed Akira ransomware’s security measures prevent the communication site from being analyzed by throwing exceptions while attempting to access the site using a debugger in the web browser.

The Russian cybersecurity company goes further marked ransomware operators’ exploitation of various security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7 ,8) – for escalation of privileges.

#Carbanak #Banking #malware #resurfaces #ransomware #tactics

Notify of
Inline Feedbacks
View all comments
Previous Post
Spear-Phishing Attacks

Cloud Atlas’ spearphishing attacks target Russian agricultural and research companies

Next Post
Poorly secured Linux SSH servers are under attack for cryptocurrency mining

Poorly secured Linux SSH servers are under attack for cryptocurrency mining

Related Posts