CARBANAK Targeted Attack Campaign Hits Banks and Financial Institutions
During our investigation, we found other malware being used in the attack. Trend Micro detects these as:
- Trend Micro Deep Discovery Email Inspector is able to detect the spear-phishing emails sent by attackers to the banks’ employees as the initial step to breach traditional security defenses, establish a foothold, and commence a targeted attack. Deep Discovery Email Inspector has email inspection capabilities that discover malicious content, attachments, and URL links that pass unnoticed through standard email security.
Deep Discovery detecting exploit attached to spear phishing email
- Trend Micro Deep Discovery Analyzer is able to detect even previously unknown threats by analyzing a broad range of file types, sizes, and sources using customizable sandbox environments that attackers design and build to match organization’s desktop and device platforms. It enhances the malware detection capabilities of all existing security investments by giving the ability to share detected and analyzed threat insight, enabling security infrastructure to prevent malicious communication, websites, applications, malware and attacker behavior from spreading.
- Trend Micro Deep Discovery Inspector is able to identify suspicious activities anywhere on network, such as those executed by Carbanak in moving laterally through the network and connecting to its command and control. Deep Discovery Inspector is also able to proactively detect the traffic triggered by the remote administration tool used by attackers.
Deep Discovery Inspector heuristically detecting traffic from Ammy Remote Admin ToolDeep Discovery Inspector is capable of monitoring traffic across all ports and more than 80 protocols and applications to detect threats that are purposely built to evade traditional security defenses. It also features Trend Micro Advanced Threat Scan Engine that is able to detect the malicious email attachments with embedded exploit code through its forward-looking heuristic rules.
Sandbox analysis result for a sample Carbanak variant
- Providing IOC (Indicators of Compromise) information including C&C blacklists to both Trend Micro and third party security products
- SIEM alerting and full IOC sharing
- Optionally invoking Trend Micro Network VirusWall Enforcer to isolate endpoints known to be infected
- Components of OfficeScan Corporate Edition (OSCE) such as SmartScan, Web Reputation Service, Behavior Monitoring, and Smart Feedback offer the best protection against CARBANAK by detecting the malicious files.
- Worry-Free Business Security/Services (WFBS/WFBS-SVC) is also equipped with technologies to detect and remove Carbanak in the machine or network
- Trend Micro Hosted Email Security offers technologies such as the connection-level and content-based reputation filtering, designed best to block threats that arrive via email.
- Trend Micro InterScan Messaging Security Virtual Appliance leverages the Trend Micro Advanced Threat Scan Engine in order to detect document exploits such as the ones used in this attack.