Skip to content ↓ | Skip to navigation ↓


Known as one of the largest bank heists ever, cybercriminals successfully exfiltrated nearly $1 billion dollars from dozens of banks and financial institutions around the world. After an extensive investigation, the verdict of these ongoing sophisticated attacks was traced to Carbanak malware.

According to security firm Kaspersky Labs, Carbanak malware, which infected networks through simple spear phishing attacks, served as a remote backdoor to stealthily exfiltrate data and provide remote access to infected machines.

As cybercriminals continued to get away with taking over ATMs, adjusting account balances and transferring funds, new sophisticated tactics emerged – but would this shift create indicators of compromise that are more difficult for financial institutions to detect?

“Banks have always been a criminal target for obvious reasons: they have giant sums of money in their possession,” explains Christopher Kruegel, co-founder and chief scientist at Lastline.

“But as banks rapidly evolve to serve an increasingly global economy, so too must their security systems evolve to protect against increasingly sophisticated global threats.

California-based security breach detection firm Lastline recently revealed additional research, finding that 95 percent of Carbanak malware exhibits many signs of evasive behaviors, such as creating .exe files that were hidden and/or masquerading as system files.

Using the company’s Breach Detection Platform, however, Lastline automatically determined 100 percent – or all 74 samples – as “malicious.” Furthermore, the analysis discovered several other interesting commonalities:

  • 93% of malware exhibited ten or more malicious or suspicious behaviors
  • 92% had a packer loading an embedded PE image indicating a potential unpacking
  • 95% hid network activity through code injection
  • 95% displayed stealth behavior 95% autostarted by registering a new service at startup
  • 97% altered memory by replacing the image of another process, indicating either detection evasion or privilege escalation
  • Nearly one in five (17%) demonstrated evasive behavior – such as trying to detect a virtual sandbox, sleep or forbid debugging – which is a relatively high percentage of evasion as compared to the average malware sample set

As threats like Carbanak malware continue to target the financial industry directly, it’s evident that advanced persistent threat (APT) techniques are rapidly evolving within the threat landscape. Building a multi-layered approach to evasive malware identification, coupled with network and system controls, provides a better degree of protection from these advanced threats, adds Tripwire Chief Research Officer David Meltzer.

“Many organizations have deployed appliances or are leveraging cloud services from certain vendors that can analyze binaries to identify this new breed of aggressive and evasive malware,” said Meltzer. “These have focused at trying to capture and analyze binaries on the network, catching and blocking malware from making its way into systems.”

Although malicious programs like Carbanak are designed and reconfigured to circumvent security systems, a strong defense-in-depth approach can help ensure that a successful attack isn’t always a successful compromise.

Jim Wacchaus, Senior Manager of Technology Alliance Partnerships at Tripwire, recognizes that implementing fundamental controls, like security configuration management and file integrity monitoring, is essential to combat today’s numerous, sophisticated threats.

“Because these malware samples are environmentally-aware with stealthy and evasive behaviors, they require a stealth sandbox to automatically detect them with an analysis environment that appears to be a victim’s system,” said Kreugel. “Only then will banks be protected against these evolving threats.”