Delaware, USA – April 23, 2019 – Security researcher Nick Carr uncovered two archives containing the full source code of Carabank’s backdoor including code of never-before-seen plugins uploaded to VirusTotal. The Carabank group (also known as Anunak, Cobalt Group or FIN7) has been active since at least 2014, they have been attacking financial institutions around the globe, and today they have managed to steal a total of over $1 billion. Despite the arrest of part of the group, the cybercriminals continue their campaigns using a wide range of tools. FireEye researchers began a series of blog posts devoted to the analysis of Carabank’s backdoor which remained unnoticed on VirusTotal for about 2 years. The source code will help researchers to learn more about the methods of obfuscation and anti-analysis techniques used by the group.
Usually, Carabank group sends spear-phishing emails to employees of target organizations infecting them with one of a whole arsenal of backdoors. Then they find and compromise important systems in the network of the organization and use them to transfer money to accounts in other banks or withdraw funds through ATMs. You can explore all known techniques, tactics and procedures of the group in the Mitre ATT&CK section on Threat Detection Marketplace. In addition to the information about techniques, you will also find Red Tests and rules for the security tools in your organization to uncover Carabank’s attacks at different stages: https://tdm.socprime.com/att-ck/