Carbanak Group Targets Executives of Financial Organizations in the Middle East

The place for technology related posts.

Moderator: Moderators

Post Reply
User avatar
Sabre
DCAWD Founding Member
Posts: 21432
Joined: Wed Aug 11, 2004 8:00 pm
Location: Springfield, VA
Contact:

Carbanak Group Targets Executives of Financial Organizations in the Middle East

Post by Sabre »

ProofPoint
The Carbanak group is infamous for infiltrating various financial institutions, and stealing millions of dollars by learning and abusing the internals of victim payment processing networks, ATM networks and transaction systems. Recently, we detected Carbanak campaigns attempting to:
• Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
• Spear-phishing emails delivering URLs, macro documents, exploit documents
• Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.

1.1 Campaign Targeting Middle East (URLs leading to Exploit Docs)
On March 1st 2016, Proofpoint detected a targeted email sent to hand-picked individuals working for banks, financial organizations, and several professional service companies and companies selling enterprise software. These targets are high level executives and decision makers such as directors, senior managers, regional/country managers, operations managers. The majority of targets work in the Middle East region in countries such as UAE, Lebanon, Kuwait, Yemen and others.

The email contained a URL to a Microsoft Word document hosted on a compromised site churchmanarts[.]com. The document, WRONG_AMOUN-01032016.doc (SHA256: ac63520803ce7f1343d4fa31588c1fef6abb0783980ad0ba613be749815c5900), exploits
CVE-2015-2545 when opened to drop and execute a downloader from the client’s temporary folder. This document drops essentially the same payload every time, but slightly modified, possibly so that every execution results in a dropped file with a different hash.
Pretty good write up on the exploit and such. Good reading material for the pooper, haha
Sabre (Julian)
Image
92.5% Stock 04 STI
Good choice putting $4,000 rims on your 1990 Honda Civic. That's like Betty White going out and getting her tits done.
Post Reply