Maxim Goncharov, security expert at Trend Micro, revealed that one of the most sophisticated malware used by the popular gang Carbanak is now pointing to Russia’s Federal Security Service (FSB).
The Carbanak Cybergang is the criminal gang that swiped over $1 Billion from banks worldwide, the experts discovered that the hackers hit more than 100 institutions in 30 countries, the attacks started in 2013 and may still be ongoing.
Goncharov discovered that the Carbanak trojan’s command and control servers are now pointing to the FSB. A few days ago, I received the same information from the malware researcher at RedSocks Niels Groeneveld that also noticed the thing.
There are several plausible explanations for this, one of them is that malware authors wanted to mock the Russian secret services.
“Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 18.104.22.168. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.” Goncharov reveals in a blog post. “I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service.” “It is also possible that the owner of the domain had done this as a prank.”
The attack technique adopted by the Carbanak cybergang is composed of the following phases:
Experts at Kaspersky that discovered the Carbanak cybergang described the campaign as probably the “most sophisticated attack the world has seen”, due to its very low profile and high impact.
If the campaign was state sponsored, would it be possible that the redirection of C&C domain to the FSB website, is a red herring meant to distract attention from a possible involvement of the Russian Government?
Goncharov promised to update us on its investigation.
Stay Tuned …
(Security Affairs – Carbanak Gang, cybercrime)