Lastline Labs

Carbanak Malware — Ninety Five Percent Exhibits Stealthy or Evasive Behaviors

Posted by Dr. Christopher Kruegel LinkedIn
2/19/15 12:00 PM

We’ve talked a lot about the increasing sophistication of malware and the serious threats it poses. But it’s rare to be able to analyze malware that is evasive or stealthy and has already been deployed in the wild to carry out cybercrime without being detected by in-place security systems for months.

From the Security Analyst Summit in Cancun this week, Kaspersky Labs published a report detailing a bank heist purported to rake in as much as $1 billion since late 2013 from banks around the world using a series of sophisticated attacks that may still be underway.

According to Kaspersky, Carbanak malware was deployed to infiltrate banks, take over ATMs, adjust balances and transfer funds via remote access. To better understand how the malware used in these attacks evaded detection by traditional security technology for so long, we took a closer look at all of the 74 Carbanak malware samples available to us through VirusTotal (nearly 70% of those listed in the report).

Using the Lastline Breach Detection Platform, we detected a high level of malicious behavior, with 96% of samples rating at a security impact of 96 or more out of 100 possible points. Our analysis automatically determined all of them (100%) were “malicious” regardless of whether a signature existed for them or not. (Our system considers anything with an impact of above 70 clearly malicious.)

The suspicious behaviors we detected in these Carbanak samples revealed some interesting commonalities:

  • 93% exhibited ten or more malicious or suspicious behaviors
  • 92% had a packer loading an embedded PE image indicating a potential unpacking
  • 95% hid network activity through code injection
  • 95% displayed stealth behavior including creating .exe files that were hidden and/or masquerading as system files
  • 95% autostarted by registering a new service at startup
  • 97% altered memory by replacing the image of another process, indicating either detection evasion or privilege escalation
  • Nearly one in five (17%) demonstrated evasive behavior -- such as trying to detect a virtual sandbox, sleep or forbid debugging.

You can see here a breakdown of the categories of malicious behavior and their prevalence across the 74 analyzed Carbanak samples:

Number of SamplesFraction of SamplesSuspicious/Malicious Behavior Category

13

17.57%

Evasion

60

81.08%

Execution

69

93.24%

Packer

70

94.59%

Network

70

94.59%

Autostart

70

94.59%

Stealth

70

94.59%

File

72

97.30%

Memory

To learn more about these malicious behavior categories, please go here.

One of the more interesting and alarming components of the Carbanak family of malware is that it is likely still actively involved in robbing banks around the world of millions of dollars.

The clearly sophisticated and varied family of malware has a broad arsenal of stealthy and evasive maneuvers tailor-made to bypass the security systems the targeted banks have in place.

Because these malware samples are environmentally-aware with stealthy and evasive behaviors they require a stealth sandbox to automatically detect them with an analysis environment that appears to be a victim’s system. Only then will banks be protected against these evolving threats.

Carbanak malware sample analysis:

lastline-advanced-malware-report-carbanak-bank-malware Example Carbanak Malware Sample Analysis
View Full-size

Tripwire, a Lastline integration partner, has added to the conversation on their State of Security Blog. You can read their post and other security news and industry commentary here.

Topics: Evasive Malware, Bank Malware, Carbanak, Kaspersky Labs

Subscribe to Email Updates