The Carbanak cyber criminal gang is abusing Google’s infrastructure as a conduit for botnet control.Carbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently a new Carbanak attack campaign dubbed “Digital Plagiarist” was exposed where the group used weaponized office documents hosted on mirrored domains, in order to distribute malware.
The gang became notorious when it was blamed for the theft of one billion dollars from more than 100 banks across 30 countries back in 2015. Fast-forward two years and Carbanak is now infecting users via a script that will send and receive commands to and from Google Apps and Google Forms services. Hackers behind the campaign are procuring legitimate digital certificates via Russian shell corporations in order to mount the ongoing assault, the sophistication of which is above and beyond this commonly encountered in cybercrime campaigns and up closer to the tradecraft employed of nation-state spies.
Forcepoint Security Labs reckons it is likely that it is using Google services because they are allowed by default at many organisations, making it easier for hackers to exfiltrate data and send instructions.
The latest run of attacks features booby-trapped RTF documents containing an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware.
Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control(C&C) communication. We have notified Google of the abuse and are working with them to share additional information.
Trustwave adds that Carbanak’s latest campaign is aimed at the hospitality industry. One (unnamed) restaurant chain with over 1,500 locations, as well as an (also unnamed) luxury hotel chain have already been affected.
Firms in e-commerce and retail are also potentially at risk from the latest attacks, it adds. Trustwave published a 45-page report on the group’s latest antics and summary blog post on Wednesday.
The latest run of attacks follow reports back in August that the Carbanak gang was targeting payment terminal makers, assaults that are increasingly starting to look like phase one of an ambitious series of cyber-heists.