Europol: Spanish police arrest suspected leader behind Carbanak banking malware
According to Europol, Spanish police in the city of Alicante have arrested a person suspected of being the leader of the criminal groups behind the Carbanak and Cobalt malware. The criminals thus targeted banks.
They would have been active in 40 countries and caused a total damage of about one billion euros since 2013, Europol writes. In that year, criminals began developing malware, then called Anunak, and used it to attack banking transactions and ATM networks. Carbanak was in use between 2014 and 2016, which was a more advanced variant. An improved version has since been in use under the name Cobalt, based on the Cobalt Strike security investigation software.
The group entered banks using targeted phishing messages, which contained malicious attachments. These were able to bring in malware, which allowed the attackers to take over infected systems remotely and penetrate further into the network. The group then used various ways to raise money. For example, it was possible to have ATMs dispense money remotely that was taken by a waiting person.
Carbanak method, Europol
In addition, they could make transfers to their own accounts and modify databases of account information by increasing the credit, so that so-called money mules could then withdraw money unnoticed. According to Europol, the stolen money was laundered, among other things, using cryptocurrencies and prepaid payment cards. The members of the group, whose size is unknown, are said to be scattered all over the world.
The name Carbanak comes from analyzes by security firm Kaspersky, which published earlier research about the group. In it, it used the name to indicate a certain kind of backdoor. It described the group behind Carbanak as an “apt-like” group, referring to advanced persistent threat. However, this comparison didn’t quite hold, because Carbanak was after money rather than information and because the group was not particularly advanced, but was good at persistence, ie staying on an infected system.
Halfway through last year, the security company Positive Technologies published an analysis of Cobalt, the successor to Carbanak, in which it discussed new techniques. For example, the company wrote that the group attacked partners of banks and then sent targeted phishing emails to bank employees from their infrastructure.