Cash Mules, Malware, And A Midnight Call From Moscow: The Great Carbanak Robbery

Carbanak first appeared on security experts’ radar when a Ukrainian financial institution approached Kaspersky Lab with an urgent worry. The problem, they explained to Kaspersky’s Global Research and...

Carbanak first appeared on security experts’ radar when a Ukrainian financial institution approached Kaspersky Lab with an urgent worry. The problem, they explained to Kaspersky’s Global Research and Analysis Team, was that money was going missing via cash machines and nobody quite knew how or why.

They wanted Kaspersky to help with the forensics of the case. But when Kaspersky looked into it – having initially expected Tyupkin-type malware – there was nothing to be found. The hard disk of the ATM system didn’t appear to have been compromised, and there was nothing apart from an unusual VPN configuration to suggest anything out of the ordinary. For the time being, it was considered just another malware attack.

Matter Of Urgency

Then, out of the blue, a Kaspersky employee received an urgent phonecall at 3am one night. At the other end was a panicked account manager, who passed on the number of the CSO of a Russian bank.

The CSO explained that one of their systems was reporting a breach. Data was being sent from their domain controller to China.

When Kaspersky Labs arrived on site, the malware was swiftly identified and dealt with. A batch script was run on every PC to remove the malware, but not before a sample was saved to examine Carbanak in detail.

How It Worked

With the bank’s systems clean, Kaspersky worked to establish the malware’s modus operandi. The point of initial infection turned out to be a spear phishing email with a CPL attachment. Other infections arrived in compromised Word documents that exploited known vulnerabilities.

After executing the shellcode, a backdoor based on Carperb began to take hold in the system. This backdoor, the route the attackers used to steal money, is what we now know as Carbanak.

Designed for espionage, data exfiltration and remote operation of secure systems, Carbanak enabled the attackers to extract money from whichever bank they targeted. Each robbery took up to four months in total to execute, from the time the first computer was infected to actually taking the money.

Because the attackers behind Carbanak didn’t necessarily have any useful knowledge of the banks they’d targeted, they used manual reconnaissance techniques to find relevant computers to infect. This involved manually moving through the network until they found something of interest to them. Perhaps even more cunningly, the infected computers could also send low-quality videos back to the gang of cyber-robbers – with this combination of visual surveillance, a thorough understanding of the bank’s security architecture, and keylogged data, they had a solid understanding of what was going on inside the bank.

Obviously the main purpose of this malware was to steal money. With targets across Eastern Europe, the most straightforward way of stealing money was to remotely instruct ATMs to dish out money. This would then be collected by human mules and delivered back to the gang. The malware also used the SWIFT network to transfer money to the criminals’ accounts, having created artificial accounts with high balances first.

The Impact

Kaspersky Labs works closely with law enforcement agencies on this kind of project. This cooperation brings the perpetrators closer to justice, but also gives the security industry a better understanding of the risks and vulnerabilities currently being exploited by cyber criminals. We now know that Carbanak hit around a hundred targets, with around half of those successful. Estimates suggest that total financial losses could be as high as $1bn, with each bank losing up to $10m to the thieves and potentially more in the wake of the attack.

Carbanak is a growing threat. It is believed to emanate from Moscow, and the bulk of the banks it targeted are in Eastern Europe. But the gang behind it clearly has big ambitions – it has been known to hit the USA, Germany, China, Kuwait, Nepal and Malaysia, as well as huge swathes of Africa. This is something that all financial organisations need to be very, very careful of.

Further Reading:

Find out more about Kaspersky’s technology, download our PDF – Why Kaspersky? here

Other blog posts related to kaspersky:

For more informationa bout Kaspersky and their products, visit or vendor page: click here.

In this article

Join the Conversation