{ "id": "b102e92d-ff5e-4050-8b21-51e098d8499b", "created_at": "2026-04-06T00:09:01.53995Z", "updated_at": "2026-04-10T03:35:16.907063Z", "deleted_at": null, "sha1_hash": "bca963b1781629c7cce4aacd8ebc21cbedc6512b", "title": "APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3481498, "plain_text": "APT-style bank robberies increase with Metel, GCMAN and\r\nCarbanak 2.0 attacks\r\nBy GReAT\r\nPublished: 2016-02-08 · Archived: 2026-04-05 14:09:46 UTC\r\nIntroduction\r\nIn late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would\r\nadopt sophisticated tactics and techniques from APT groups for use in bank robberies.\r\nJust a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that\r\nused custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial\r\ninstitutions in at least 30 countries.\r\nSince then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance,\r\nsocial engineering, specialized malware, lateral movement tools and long-term persistence to steal money from\r\nfinancial institutions (particularly ATMs and money transfer systems).\r\nIn summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016\r\nTweet\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 1 of 9\n\nToday at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs\r\nengaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with\r\nnew targets in its sights.\r\nIn 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and\r\ninfected by these three groups.\r\nDue to the active nature of law enforcement investigations and non-disclosure agreements with victim\r\norganizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial\r\nIndicators of Compromise (IOCs) and other data to help organizations search for traces of these attack groups in\r\ntheir corporate networks (see below).\r\nThe story of Metel – ATM balance rollbacks\r\nIn summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of\r\nstrange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks\r\nand were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t\r\nrealize this until it tried to recoup the money withdrawn from the other banks’ ATMs.\r\nDuring our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also\r\nknown as Corkow.\r\nThe malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved\r\nlaterally to gain access to the computers within the bank’s IT systems.\r\nHaving gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by\r\nautomating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via\r\ndebit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM\r\nmachines.\r\nEncrypted configuration for Metel malware plugins\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 2 of 9\n\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 3 of 9\n\nOur investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs\r\nbelonging to different banks. With the automated rollback in place the money was instantly returned to the account\r\nafter the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes\r\nat several locations.\r\nGCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016\r\nTweet\r\nIn all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were\r\nable to clean the networks before any major damage could be done. It is highly likely that this threat is far more\r\nwidespread and we urge financial institutions around the world to scan their networks for signs of the Metel\r\nmalware.\r\nThe Metel criminal group is still active. At the moment, we don’t have any information about any victims outside\r\nRussia.\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 4 of 9\n\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 5 of 9\n\nA second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler,\r\nemerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer\r\nmoney to e-currency services.\r\nThe initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a\r\nmalicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word\r\ndocument, resulting in infection.\r\nOnce inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and\r\nMeterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script\r\ninto bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was\r\ninvoking the script every minute to post new transactions directly to upstream payment processing system. This\r\nallowed the group to transfer money to multiple e-currency services without these transactions being reported to\r\nany system inside the bank.\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 6 of 9\n\nDecompiled code of GCMAN malware that is responsible for connecting to CnC\r\nIn a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to\r\nneutralize the threat and cancel the transactions.\r\nOne interesting observation is that the real attack happened approximately 18 months before it was discovered.\r\nThe group used an MS SQL injection in commercial software running on one of bank’s public web services, and\r\nabout a year and a half later, they came back to cash out. During that time they poked 70 internal hosts,\r\ncompromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers).\r\nWe discovered that about two months before the incident someone was trying different passwords for an admin\r\naccount on a banking server. They were really persistent but doing it only three times a week and then only on\r\nSaturdays, in an effort to stay under the radar.\r\nKaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the\r\nGCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks\r\nfor signs of this cyber-criminal group.\r\nCarbanak 2.0: new targets beyond banks\r\nAfter our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading\r\nus to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a\r\nblog detailing a new Carbanak variant affecting one of its customers.\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 7 of 9\n\nIn December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in\r\ntwo institutions – a telecommunications company and a financial institution.\r\nExecutable files founded in SHIM during Carbanak incident response\r\nOne interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks\r\nand is now targeting the budgeting and accounting departments in any organization of interest to them, using the\r\nsame APT-style tools and techniques.\r\nIn one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information\r\nabout shareholders to change the ownership details of a large company. The information was modified to name a\r\nmoney mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of\r\nthis information in future.\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 8 of 9\n\n#Carbanak gang is now targeting budgeting \u0026 accounting departments #bankingAPT #TheSAS2016\r\nTweet\r\nKaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN\r\nthreat actors with the following detection names:\r\nTrojan-Dropper.Win32.Metel\r\nBackdoor.Win32.Metel\r\nTrojan-Banker.Win32.Metel\r\nBackdoor.Win32.GCMan\r\nBackdoor.Win64.GCMan\r\nTrojan-Downloader.Win32.GCMan\r\nTrojan-Downloader.Win32.Carbanak\r\nBackdoor.Win32.Carbanak\r\nKaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and\r\nGCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law\r\nenforcement.\r\nAll this information has been made available to customers of our APT intelligence reporting service and they\r\nreceived the indicators of compromise and context information as soon as they became available.\r\nIndicators of Compromise (IOC) are available here:\r\nMetel\r\nGCMAN\r\nCarbanak 2.0\r\nFor more about the measures to be taken against these Bank Busters and similar offensives, read this article\r\nin the Kaspersky Business Blog.\r\nSource: https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nhttps://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "MISPGALAXY", "Malpedia", "ETDA" ], "references": [ "https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/" ], "report_names": [ "73638" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "a58aedbc-e89f-4e0c-8147-c6406a616cfa", "created_at": "2022-10-25T16:07:23.494355Z", "updated_at": "2026-04-10T02:00:04.629595Z", "deleted_at": null, "main_name": "Corkow", "aliases": [ "Corkow", "Metel" ], "source_name": "ETDA:Corkow", "tools": [ "Corkow", "Metel" ], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "3b185161-668f-4cac-b930-9482f9706848", "created_at": "2022-10-25T16:07:23.670892Z", "updated_at": "2026-04-10T02:00:04.706866Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "ETDA:GCMAN", "tools": [ "GCMAN", "Meterpreter", "VNC", "Virtual Network Computing" ], "source_id": "ETDA", "reports": null }, { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null }, { "id": "1e408839-27ce-4f52-b7c6-d0a700e54027", "created_at": "2023-01-06T13:46:38.479274Z", "updated_at": "2026-04-10T02:00:02.991414Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "G0036" ], "source_name": "MISPGALAXY:GCMAN", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "fc11deee-6db4-46a9-a3d5-c02bb960cc51", "created_at": "2022-10-25T15:50:23.277991Z", "updated_at": "2026-04-10T02:00:05.400194Z", "deleted_at": null, "main_name": "GCMAN", "aliases": [ "GCMAN" ], "source_name": "MITRE:GCMAN", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434141, "ts_updated_at": 1775792116, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bca963b1781629c7cce4aacd8ebc21cbedc6512b.pdf", "text": "https://archive.orkl.eu/bca963b1781629c7cce4aacd8ebc21cbedc6512b.txt", "img": "https://archive.orkl.eu/bca963b1781629c7cce4aacd8ebc21cbedc6512b.jpg" } }