Rewterz Threat Update – Carbanak Banking Malware Emerges Again with New Ransomware Tactics

Severity

High

Analysis Summary

The banking malware named Carbanak has resurfaced with new and updated tactics and is observed being used in ransomware attacks. The malware returned last month and has been distributed via compromised websites by pretending to be legitimate business-related software, such as Xero, HubSpot, and Veeam.

Carbanak was first discovered in the wild in 2014 and is notorious for its remote control and data exfiltration capabilities. It started as a baking malware and has been used a lot by the FIN7 cybercriminal group. In the newest attack chain, researchers stated that the compromised websites host malicious installer files that pose as legitimate software to trigger the execution of Carbanak.

The follow-up comes when last month, 442 ransomware attacks were reported and 341 in October, making a total of 4,276 cases reported so far in 2023. The data shows that industrial, consumer cyclical, and healthcare came at the top of the most targeted sectors with North America, Europe, and Asia being the most impacted regions. The total number of attacks surpassing 4,000 with one month still to go shows a huge increase from 2021 and 2022.

Most of the ransomware landscape has successfully moved away from QBot after its takedown by law enforcement and is now leveraging software exploits and alternative malware families for their operations. The development comes as researchers disclosed that the security measures Akira ransomware takes are used to prevent its communication site from being analyzed. It does this by raising exceptions when the website is attempted to be accessed by using a debugger within the web browser.

Security analysts further underlined the exploitation of various vulnerabilities being performed by ransomware operators. These security flaws are in the Windows Common Log File System (CLFS) driver, namely CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252, and are used for privilege escalation.

Impact

• Financial Loss
• Data Exfiltration
• Sensitive Information Theft

Remediation

• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.
• Emails from unknown senders should always be treated with caution.
• Never trust or open links and attachments received from unknown sources/senders.