Carbanak APT campaign made off with $1B from banks globally
Carbanak APT campaign made off with $1B from banks globally

A hacker group made off with as much as $1 billion from 100 banks in 30 countries by distributing a remote backdoor via spear phishing emails to bank employees, according to a report from Kaspersky Lab.

The same gang that breached Staples last fall may be behind this ruse, which researchers have dubbed Carbanak, reports have said. Security firm Fox-IT has drawn comparisons between the malware used in the Carbanak campaign and the trojan leveraged in the Staples breach, called Anunak, leaving many to believe the malware used in both campaigns could be the same.

The Kaspersky Lab research was disclosed at the company's Security Analyst Summit in Cancun, Mexico on Monday.

Based on information gathered from its own research in addition to info from law enforcement agencies including INTERPOL and Europol, Kaspersky Lab believes that losses range from up to $10 million per bank. 

Rather than aiming their attacks at accounts belonging to customers, the miscreants went after central sources such as e-payment systems and banks. While a majority of the financial institutions targeted are in Russia, banks in the United States, Germany and China, among others, were also impacted.

Researchers have observed that the spear phishing messages sent to employees included Microsoft Word (.doc) and Control Panel Applet (.CPL) file attachments. The attachments exploited vulnerabilities in Microsoft Office 2003, 2007 and 2010, in addition to Microsoft Word. Once successfully exploited, the Carbanak backdoor is active.

Once the malware is executed and attackers were in a bank's network, they became intimate with the bank systems and employees, searching for employees who either had administrative rights to the institution's cash transfer systems or remote ATMs. Then they used the malware's remote access capabilities to capture screenshots and videos of bank workers' systems so they could eventually ape employee activity.

Money taken through fraudulent transactions was sent to bank accounts in the U.S. and China. Two of the banks where attackers set up fake accounts were identified by a New York Times source as JPMorgan Chase and the Agricultural Bank of China.

The attackers reaped the rewards of their efforts in a two-year span where they either transferred money to their own accounts, ordered the money distributed to remote ATMs where an associate waited to receive or, in some cases, penetrated the banks' accounts systems to change bank balances and then order transfers, ensuring that it would take some time for the activity to be detected by the bank.

Experts believe the threat actors may originate from Russia, Ukraine, Europe and China.

While Kaspersky researchers have contended that the attack bypassed banks' security efforts because it was “sophisticated,” others have been quick to point out that banks simply had not kept their security measures up to date.

“There is nothing special about the malware itself. As usual, it was able to bypass the banks' traditional anti-malware systems and go on its way uninterrupted,” Ian Amit, vice president of security firm ZeroFox said in a statement sent to “The novelty of this attack lies in how it was deployed -- directly inside the bank rather than to the banks' customers.”

He believes that kind of attack leads to “much higher revenue-per-transaction."

Calling the attacks a “jarring reminder of how easy it is for even sophisticated enterprises to overlook damaging changes to their cyber infrastructure,” Dwayne Melancon, CTO at Tripwire, explained in a statement sent to that even custom malware “leaves a trace when it compromises a system.” 

That mark, thought, “goes unnoticed” most of the time “because enterprises haven't established a baseline, or known good state, and aren't continuously monitoring for changes to that baseline,” he said.

Indeed, while Jerome Segura, senior security researcher at Malwarebytes Labs, in a statement sent to, said the attack is “possibly one of the largest cyber bank heists in history which happened under the noses of many banks worldwide,” he noted Carbanak “is not particularly sophisticated as earlier reports may have indicated.”

Unlike in other large attacks, hackers “did not use a zero-day vulnerability but rather social engineered bank employees with a phishing email,” he said, and banks didn't detect the malware early.