Spear Phishing used for Carbanak campaigns
The Carbanak group is infamous for infiltrating various financial institutions, and stealing millions of dollars by learning and abusing the internals of victim payment processing networks, ATM networks and transaction systems.
Recently, researchers detected Carbanak campaigns attempting to:
- Target high level executives in financial companies or in financial/decision-making roles in the Middle East, U.S. and Europe
- Spear-phishing emails delivering URLs, macro documents, exploit documents
- Use of Spy.Sekur (Carbanak malware) and commodity remote access Trojans (RATs) such as jRAT, Netwire, Cybergate and others used in support of operations.
Campaign Targeting Middle East (URLs leading to Exploit Docs) On March 1st 2016, Proofpoint detected a targeted email sent to hand-picked individuals working for banks, financial organization, and several professional service companies and companies selling enterprise software.
These targets are high level executives and decision makers such as directors, senior managers, regional/country managers, operations managers.
The majority of targets work in the Middle East region in countries such as UAE, Lebanon, Kuwait, Yemen and others.
The email contained a URL to a Microsoft Word document hosted on a compromised site churchmanarts[.]com. The document, WRONG_AMOUN-01032016.doc (SHA256: ac63520803ce7f1343d4fa31588c1fef6abb0783980ad0ba613be749815c5900), exploits CVE-2015-2545 when opened to drop and execute a downloader from the client’s temporary folder. This document drops essentially the same payload every time, but slightly modified, possibly so that every execution results in a dropped file with a different hash.
Get the full report at:Â https://www.proofpoint.com/sites/default/files/proofpoint-threat-insight-carbanak-group-en.pdf