New Carbanak Attack – PREVENTED by Minerva

November 21, 2016

 |  

Minerva Research Team

The Gang

The Carbanak gang is one of the most notorious cybercrime organizations in the world. As a matter of fact, Kaspersky's analysts estimated that the "total financial losses (caused by Carbanak) could be as a high as $1 billion". These figures would mean that the perpetrators of the attacks are the most successful cybercrime syndicate ever, infecting hundreds of financial institutions in over 30 different countries.

The group’s daring was proven once again last August when it was discovered that they breached Oracle's MICROS division. This division's product is one of the top three point-of-sale (PoS) solutions and is implemented in more than 330,000 cash-registers.

The data gathered in the MICROS breach enabled the attackers to infiltrate countless PoS devices, stealing sensitive financial information from every card swiped in the infected machines. This incident was so severe that Visa issued a special security alert, warning users of MICROS devices of Carbanak's attack:

‍Visa warns MICROS users

A New Wave of Carbanak

Last week, TrustWave's malware researchers published a blog post about yet another wave of Carbanak attacks. This time, instead of targeting financial institutions, or PoS unit vendors as they had in the past, they shifted their focus to the hospitality sector.

The attack was initiated using a spear-phishing email, with an attached malicious Word document. Once opened, it dropped an "all-around" basic Trojan written in VB. This script was used to collect intelligence about the infected machine, but its most important function was its capability to download and execute the next stages of the attack.

Those stages included well known common off-the-shelf tools such as Nmap to name just one. The most interesting payload downloaded however, was a "classic" Carbanak malware, capable of scraping credit cards data and exfiltrating it over an encrypted channel to the cybercriminals.

Preventing the Carbanak Attack

The Carbanak threat actor remains an active threat, efficiently attacking lucrative targets time after time and constantly updating its arsenal.

Protecting an enterprise against this kind of threat is a major challenge. Carbanak-style attacks emphasize the difference between existing products which detect a compromise in a machine, unfortunately after it is already too late and the Minerva Anti-Evasion Platform.

Minerva’s technology prevents the infection before any damage is done, foiling the malware's attempt to hide itself within a different, supposedly benign, process.

Moreover, because the malware halts its execution at its earliest stages prior to the deployment of its credit card scraping capabilities – the Minerva-protected endpoint will not only be threat-free but will not leak sensitive information. This is a true game-changer for IR teams, making the remediation process much easier and less stressful.