Security researchers are warning of an uptick in activity from the notorious Carbanak cyber bank robbing gang signalling a change of focus to the Middle East, US and Europe.
At the beginning of this month, Proofpoint observed targeted phishing emails sent to specific staff working for financial institutions, professional service companies and firms selling enterprise software in the Middle East.
They contained malicious links leading to documents with a known Microsoft Word exploit which resulted in spyware downloads.
At the same time, links in other emails – some sent to the same targets – attempted to spread the Java-based RAT, jRAT, which contains a host of functionality including keylogging, monitoring webcam and sound, managing files and processes and modifying the registry.
An apparently separate campaign targeted helpdesk and financial workers in the US and Europe, employed in the finance industry, mass media, and other apparently random targets in fire, safety, air conditioning and heating.
They received emails with attached documents containing malicious macros. Once enabled, these would also launch Spy.Sekur.
It’s also notable that numerous Spy.Sekur payloads were signed by stolen or fraudulent certificates – an increasingly popular method for cybercriminals to circumvent traditional security filters and trick defenses.
Proofpoint claimed it found no evidence that a RAT known as Netwire was loaded onto any of these emails. But it did find the malware hosted at the same IP address as Spy.Sekur, indicating it could have been used in the same campaign.
Other malware associated with these new email campaigns included RATs DarkComet and MorphineRAT.
The top three countries targeted appear to have been the US (18%), Oman (16%) and Australia (13%).
The Carbanak group has been around since 2013, most notably using advanced APT techniques to steal up to $1bn from 100 banks worldwide over a two-year period.
“In this case, we saw the [Carbanak] group use new exploits, macro documents, and RATs to target new groups outside their usual Russian domains. The group used attachment campaigns, URLs linking to exploit documents, and sophisticated malware to go after targets in the US and Middle East. The group also expanded its targeting from financial institutions to seemingly unrelated targets in fire, safety, and HVAC. However, as we learned from the Target data breach, among others, vendors and suppliers can give attackers a point of entry into their real target.”