Carbanak Banking Malware Uses New Ransomware Techniques to Resurface

Recently, the Carbanak malware has been noticed to use new techniques for malware attacks. In a ransomware attack examination, NCC Group has explained - “The malware has adapted to incorporate attack vendors & techniques to diversify its effectiveness. Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.”

Some of the imitated websites include popular business software, such as Xero, Veeam, and SubSpot. Carbanak was first detected in 2014 and is known for its remote control & data exfiltration features. Commencing as banking malware, it has been employed by the FIN7 cybercrime syndicate.

As per NCC Group’s latest attack chain document, the compromised sites have been designed to host hostile installer files pretending as legit utilities to deploy the Carbanak.

The growth comes as 442 ransomware attacks were reported in November, as compared to 341 attacks in October.  Nearly, 4,276 cases were reported in 2023 which is less than 1000 malware attacks than the total of 2021 & 2022 combined, 5,198 attacks.

Out of the 442 assaults, LockBit, BlackCat, and Play accounted for 47% (206 incidents) of the most often-seen ransomware families. Given that BlackCat was taken down by the authorities this month, it is unclear how this will affect the threat scenario going forward.

Matt Hull, global head of threat intelligence at NCC Group, stated, "With one month left in the year, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year."

The cyber insurance company Corvus, which claims to have identified 484 new ransomware victims, has also confirmed the increase in ransomware assaults in November.

"The ransomware ecosystem at large has successfully pivoted away from QBot," the business stated. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."

Even though the change was brought about by law enforcement taking down QBot's (also known as QakBot) infrastructure, Microsoft last week revealed information about a low-volume phishing effort that was spreading the virus, highlighting the difficulties in completely taking down these organizations.

This discovery coincides with the revelation by Kaspersky that the security mechanisms of the Akira ransomware prevent its communication site from being examined by producing exceptions when an attempt is made to reach the site through the use of a web browser debugger.

The Russian cybersecurity firm also brought attention to the many security holes that ransomware operators exploited for privilege escalation in the Windows Common Log File System (CLFS) driver (CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, and CVE-2023-28252; CVSS scores: 7.8).