What we can learn from $1 billion bank-robbing malware

Dr. Christopher Kruegel, co-founder and chief scientist, Lastline
Dr. Christopher Kruegel, co-founder and chief scientist, Lastline

Cybercriminals used a mix of social engineering and the Carbanak family of malware to infiltrate banks around the world and steal as much a $1 billion since 2013, according to a recent Kaspersky Labs report. Spear phishing emails reportedly duped employees into opening back doors for criminals to infiltrate banking systems, alter account balances, transfer funds and hide their tracks. But how did these criminals go back to the well so many times at so many banks without getting caught?

One answer lies within the malware itself. The Lastline Labs team took a closer look at all available Carbanak malware samples this week to dissect their behaviors for clues as to how they evaded detection within heavily fortified banks. They found that all of these malware samples – when inspected within a dynamic analysis environment that used full-system emulation to prevent environmentally-aware malware from evading it – exhibited highly suspicious behaviors.

In fact, 95 percent of the Carbanak malware displayed stealthy or evasive behaviors during analysis. Stealthy behaviors included creating executable files that were hidden or masquerading as system files. Evasive maneuvers included trying to detect a virtual sandbox, sleep or forbid debugging.

So how did the Carbanak malware go undetected? These behavioral giveaways should have triggered alarms from day one. Unfortunately, legacy security systems in the majority of banks focus on filtering traffic entering their network based on static signatures that are updated at intervals that make it nearly impossible to keep up with advanced, evolving threats. Even banks that used first-generation sandboxes, using either virtual machines or operating system emulators, can't detect evasive malware that senses it is in an analysis environment and cloaks itself during scanning. And once the malware has made it past the guards, so to speak, it slips through and runs rampant – spreading laterally through the network while covering its tracks.

These banks need broader and more advanced protection that can automatically detect advanced and evasive threats across multiple vectors, without being seen by the malware itself. Even when those threats appear to come from an authorized user, banks must protect themselves, their employees and their customers under the assumption that they are always under attack and trust no one.

They also need to train every employee regularly – not just new employees or certain levels or departments – in ways to detect social engineering, how to flag suspicious email, when to report a missing device, what information can and can't be shared on email, etc. In fact, security fire drills and internal social engineering tests might be a good way to uplevel your collective IT security IQ.

No doubt about it: the Carbanak malware acted very much like modern malware on victims' machines. It should have raised red flags that signaled bank security teams to stop the cybercriminals in their tracks. By using stealthy and evasive maneuvers, this malware repeatedly evaded detection and helped those that deployed it to make off with millions.

If we can learn anything from the Carbanak malware, it is to use stealthy and evasive maneuvers in the security technology and education we deploy within enterprises to fight fire with fire.


Christopher Kruegel, PhD, is co-founder and chief scientist at Lastline. He is also currently on leave from his position as Professor of Computer Science at UC Santa Barbara. His research interests focus on computer and communications security, with an emphasis on malware analysis and detection, web security and intrusion detection. Christopher previously served on the faculty of the Technical University Vienna, Austria. He has published more than 100 peer-reviewed papers, has been the recipient of numerous awards and regularly serves on program committees of leading computer security conferences.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS