Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Carbanak threat details and protection using Trend Micro products

    • Updated:
    • 19 Oct 2016
    • Product/Version:
    • Deep Discovery Advisor 3.0
    • Deep Discovery Analyzer 5.0
    • Deep Discovery Email Inspector 2.1
    • Deep Discovery Email Inspector 2.5
    • Deep Discovery Inspector 3.2
    • Deep Discovery Inspector 3.5
    • Deep Discovery Inspector 3.6
    • Deep Discovery Inspector 3.7
    • Deep Edge 2.0
    • Hosted Email Security 2.0
    • HouseCall Server Edition All.All
    • InterScan Messaging Security Virtual Appliance 8.2
    • InterScan Messaging Security Virtual Appliance 8.5
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Web Security Virtual Appliance 6.5
    • ScanMail for Exchange 11.0
    • Platform:
    • Windows 2000 Advanced Server
    • Windows 2003 Enterprise
    • Windows 2003 Standard
    • Windows 2008 Datacenter
    • Windows 2008 Enterprise
    • Windows 2008 Standard
    • Windows 2012 Enterprise
    • Windows 2012 Standard
    • Windows 7 32-bit
    • Windows 7 64-bit
Summary

Earlier this week Trend Micro received reports of a targeted attack that specifically affected banks and enabled attackers to steal large sums of money from affected companies by infiltrating the networks and modifying bank records.

This highlights a kind of threat that the banking industry faces differ, one that might not directly affect the end-users as with the case with phishing and online banking malware, but is equally or just as critical. Banks are networks that hold very critical financial data, which makes them perfect targets for cyber attacks.

According to reports, the attackers were able to infiltrate 100 banks located in various countries, including Russia, USA, Germany, China, and Ukraine. Here are the high-level details on how the infiltration was executed:

  • Spear phishing emails were sent to the banks’ employees, containing either an exploit (CVE-2012-0158, CVE-2013-3906, CVE- 2014-1761) or a malicious CPL file.
  • Both the exploit and the malicious CPL file drop the Carbanak malware into the system. Carbanak is a backdoor designed to execute various commands including logging keystrokes, taking screenshots, and checking for specific banking applications such as fund transfer software. 
  • The attackers used Carbanak to move laterally within the network through remote administration tools to reach target systems, which are those that involve processing bank accounts. Once target systems are reached, the attackers record videos of the affected user’s operation to be familiar with the victim’s workflow. The attackers then used this information and access to manipulate bank records and transfer funds into their accounts without being detected. 

This attack is notable for its usage of techniques that aimed to mimic normal activities within the network in order to evade detection. It raises the importance of having a security strategy that is designed to see through these techniques and detect malicious activities.

Details
Public

Custom Defense Solutions

Trend Micro Custom Defense employs a comprehensive 360-degree detection to minimize the opportunities for a targeted attack through its family of security solutions.

Trend Micro Deep Discovery provides the network-wide visibility and intelligence that is the cornerstone of the Custom Defense solution against so-called APTs (advanced persistent threats) and targeted attacks such as this one.

For the Carbanak attack scenario, Deep Discovery could detect the attack at several different points in the sequence of events:

  • Trend Micro Deep Discovery Email Inspector is able to detect the spear-phishing emails sent by attackers to the banks’ employees as the initial step to breach traditional security defenses, establish a foothold, and commence a targeted attack. Deep Discovery Email Inspector has email inspection capabilities that discover malicious content, attachments, and URL links that pass unnoticed through standard email secuDeep Discovery Email Inspector Detection
  • Trend Micro Deep Discovery Analyzer is able to detect even previously unknown threats by analyzing a broad range of file types, sizes, and sources using customizable sandbox environments that attackers design and build to match organization’s desktop and device platforms. It enhances the malware detection capabilities of all existing security investments by giving the ability to share detected and analyzed threat insight, enabling security infrastructure to prevent malicious communication, websites, applications, malware and attacker behavior from spreading.Deep Discovery Analyzer Detection 
  • Trend Micro Deep Discovery Inspector is able to identify suspicious activities anywhere on   network, such as those executed by Carbanak in moving laterally through the network and connecting to its command and control. Deep Discovery Inspector is also able to proactively detect the traffic triggered by the remote administration tool used by attackers: Deep Discovery Inspector is capable of monitoring traffic across all ports and more than 80 protocols and applications to detect threats that are purposely built to evade traditional security defenses. It also features Trend Micro Advanced Threat Scan Engine that is able to detect the malicious email attachments with embedded exploit code through its forward-looking heuristic rules.

Deep Discovery Inspector Detection

Once detected, Deep Discovery can provide the organization with both local intelligence and global threat intelligence from the Trend Micro Smart Protection Network to identify and assess the risk of the malware, communications or activities found. 

Finally, Deep Discovery provides automated security signature updates and alert notifications to the organizations’s other security products to enable a full Custom Defense that stops the attack from progressing further. Examples include: 

  • Providing IOC (Indicators of Compromise) information including C&C blacklists to both Trend Micro and third party security products 
  • SIEM alerting and full IOC sharing
  • Optionally invoking Trend Micro Network VirusWall Enforcer to isolate endpoints known to be infected

Endpoint Protection

Properly-configured endpoint solutions can ensure the prevention of Carbanak from coming into the machine or network.

Mail Scanning Solution

Email played a big part in the delivery of Carbanak, making it an important vector to protect from attackers. 

Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1107858
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.