Anatomy of Carbanak threat actor group and its malicious activities

• This Russia speaking cybercriminal group is characterized by their persistence targeting and large-scale theft of payment card details from victims’ systems.
• The Carbanak cybercriminal gang mainly utilize weaponized office documents to target the victims.

Carbanak, also known as Fin7, Anunak, Carbon Spider, is a threat actor group that has been found to be involved in several attacks against banks, financial, hospitality and restaurant verticals. This Russian speaking cybercriminal group is characterized by their persistent targeting and large-scale theft of payment card details from victims’ systems.

What do they target - The Fin7 or Carbanak are financially motivated threat actor group who primarily target financial organizations to directly steal and launder money. Although the year of origin is unknown, experts believe that the threat actors evolved from malware campaigns between 2013 and 2015 that used the banking trojans Craberp and Anunak to target financial institutions. Over the past few years, the group has increased its targets which includes but is not limited to restaurants, hospitality, energy, travel, education, construction, retail, and telecommunications.

How do they operate - The Carbanak cybercriminal gang mainly utilize weaponized office documents to target the victims. These malicious documents are distributed via spear-phishing emails. Apart from spear phishing, the group also demonstrates a range of capabilities, that includes using web forms for initial contact and engaging directly with pre-determined store managers.

The group is also known to use a sophisticated malware named Carbanak.

According to RSA, once the attackers gain access to a user system, they start moving laterally throughout the environment “to conduct internal reconnaissance, establish staging points and internal network paths, harvest credentials, and move towards their intended target.”

Some important attacks

• Carbanak group came to the light for targeting US-based chain restaurants using a new JScript backdoor called Bateleur and updating macros to its toolkit. The new macros and Bateleur backdoor used sophisticated anti-analysis and sandbox evasion techniques to expand the infection process.
• At the beginning of 2017, the Fin7 threat actor group was observed implementing a new malware obfuscation method. The group distributed the malware via malicious shortcut (LNK) files embedded in Word documents using the Object Linking and Embedding (OLE) technology.
• The group is also found operating its own website on the dark web, which goes by the named of Joker’s Stash. The forum is used to sell credit cards, Social Security numbers and other stolen data from their cyber attacks.

As a consequence of these major attacks, the Department of Justice indicted three members of the group in 26 different cases ranging from wire fraud to computer hacking to identity theft.