{ "id": "6844b1e1-072b-4c30-8e3e-e9cd4c7ff1b7", "created_at": "2026-04-06T00:09:08.031206Z", "updated_at": "2026-04-10T03:35:16.928514Z", "deleted_at": null, "sha1_hash": "3357fa14af664294f29d790c60f4ab45ccbbfd3a", "title": "GCMAN: how to steal $200 per minute", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 41001, "plain_text": "GCMAN: how to steal $200 per minute\r\nBy Kaspersky\r\nPublished: 2017-09-13 · Archived: 2026-04-05 22:48:20 UTC\r\nVIRUS DEFINITION\r\nVirus Type: Advanced Persistent Threat, Trojan, Malware, APT, ATM, Banking Trojans, spear-phishing,\r\ncybercrime\r\nWhat is GCMAN?\r\nGCMAN is a group that uses APT techniques and legitimate penetration testing tools to infect computer networks\r\nand attempt to steal funds by transferring money from financial institutions to e-currency services.  The malware\r\nwas compiled with the help of the GCC compiler, a rarity among malware writers.\r\nWhat it can do?\r\nThe initial infection mechanism is handled by spear-phishing. A financial institution is targeted with e-mails\r\ncarrying a malicious RAR archive. When the RAR archive is opened an executable is started instead of a\r\nMicrosoft Word document, resulting in infection. The group also plants a cron script into the bank's server to\r\ngenerate financial transactions at the rate of $200 per minute.\r\nWho are the victims of its attacks?\r\nThe victims are limited to financial institutions.\r\nAm I at risk?\r\nYou are in a risk group if your organisation falls into the category above. Make sure you are using advanced anti-malware solutions and taking advice from a reliable security company.\r\nHow do I know if I’m infected?\r\nKaspersky Lab products successfully detect and block the malware used by GCMMAN threat actors with the\r\nfollowing detection names:    \r\nBackdoor.Win32.GCMan; Backdoor.Win64.GCMan; Trojan-Downloader.Win32.GCMan\r\nThe company is has also released crucial Indicators of Compromise (IOC) and other data to help organizations\r\nsearch for traces of these attack groups in their corporate networks. \r\nHow can I protect myself?\r\nhttps://www.kaspersky.com/resource-center/threats/gcman\r\nPage 1 of 2\n\nThe only way to discover an attempted break in or a successful penetration of the perimeter is to analyze the\r\nbehavior patterns and to try to spot an attack by identifying an attacker in a flow of typical corporate network\r\nactivity.\r\nTo be on the safe side make sure you are using advanced anti-malware solutions such as Kaspersky Next EDR\r\nOptimum. Also pay attention to your cybersecurity awareness to make sure that you can identify phishing emails\r\nin your email box.\r\nTo raise the level of protection, it is recommended that organizations use System Watcher that includes the BSS\r\n(Behavior Stream Signatures) module. This is included in all modern products and solutions.  \r\nOf course, just offering a multitude of powerful endpoint security layers is not enough. Spear-phishing, one of the\r\nmost popular techniques for initial infection, makes reliable mail security a must. Kaspersky Security for Mail\r\nServers scans incoming emails for both malicious attachments and URLs, significantly reducing the chances of\r\nmalware reaching its victims. \r\nRecommended products:\r\nKaspersky Premium Antivirus\r\nDownload Kaspersky Premium Antivirus with 30-Day Free Trial\r\nKaspersky VPN - Download and Try for Free\r\nSource: https://www.kaspersky.com/resource-center/threats/gcman\r\nhttps://www.kaspersky.com/resource-center/threats/gcman\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.kaspersky.com/resource-center/threats/gcman" ], "report_names": [ "gcman" ], "threat_actors": [ { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434148, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3357fa14af664294f29d790c60f4ab45ccbbfd3a.pdf", "text": "https://archive.orkl.eu/3357fa14af664294f29d790c60f4ab45ccbbfd3a.txt", "img": "https://archive.orkl.eu/3357fa14af664294f29d790c60f4ab45ccbbfd3a.jpg" } }