CylancePROTECT™ vs. the World: Carbanak Banking Malware

As much as I would love to have started this blog with the words “brand new way to attack”, I just cannot do it yet again. Carbanak is just another beat down technique that the A/V industry and most so-called “advanced threat prevention” systems cannot seem to prevent against. No matter how many updates they push down your throat or how much they re-label heuristics with “advanced”. But CylancePROTECT does detect and prevent against Carbanak. 100%.

Carbanak, or perhaps more appropriately called Anunak, was discovered and first released in December 2014 by Group 1B out of Russia and Fox-IT out of the Netherlands. Since the Carberp botnet source code was released in 2013, we knew there would be new attacks leveraging the stealthy botnet malware. And with Carberp being discovered in this campaign, and expanding the victims list from solely Russian targets to Japanese, American, Dutch and Swiss, Kaspersky renamed the campaign and wrote their own report taking broader credit over the weekend. NY Times got a pre-release this weekend and wrote a story.

The attack used spearphishing emails to deliver RTF documents to its victims. Once clicked on, they exploit the well-known CVE-2013-5056 vulnerability in Windows to execute a series of malware that controls the victim’s computer and allows the attackers to watch the user’s activity and study his or her behavior. In so doing, the bad guys get to act like employees of the bank and modify bank account balances, do wire transfers, and dispense cash from ATMs just as though they were ATM operators.

CylancePROTECTs last machine learning model shipped in August of 2014, and we still continue to catch every single new campaign and Carbanak is no different. Detecting 100% of the samples associated with the hack and preventing 100% of those in realtime. No other solution offers that on the market.

Of the 82 PE samples we have associated with Carbanak, we detected and quarantined 77 all pre-execution:

Screen_Shot_02-16-15_at_01.33_PM

 And 4 of the samples we didn’t hit mathematically on, we still block due to our anti-exploit memory techniques:

 Screen_Shot_02-16-15_at_01.34_PM

And finally, the last remaining sample, 664d484960d70f0dabeddeb9ac4dfb8ed2e990ad0e044eb90db19f9828ac4711, doesn’t do anything malicious on its own but instead sends commands to a bot we block.

All combined we blocked 100% of every bit of Carbanak. All 0-day to us. All day long.

Stuart McClure
CEO/Founder
Cylance, Inc.