{ "id": "b66d890d-9ac2-4660-bd51-cd6d75df91a8", "created_at": "2026-04-06T00:06:08.368867Z", "updated_at": "2026-04-10T03:31:13.539646Z", "deleted_at": null, "sha1_hash": "e1e88bfe3d6b5b483692d31f0518c4571bd542ee", "title": "The Great Bank Robbery: the Carbanak APT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1869081, "plain_text": "The Great Bank Robbery: the Carbanak APT\r\nBy GReAT\r\nPublished: 2015-02-16 · Archived: 2026-04-05 16:32:03 UTC\r\nDownload Full Report PDF\r\nThe story of Carbanak began when a bank from Ukraine asked us to help with a forensic investigation. Money\r\nwas being mysteriously stolen from ATMs. Our initial thoughts tended towards the Tyupkin malware. However,\r\nupon investigating the hard disk of the ATM system we couldn’t find anything except a rather odd VPN\r\nconfiguration (the netmask was set to 172.0.0.0).\r\nAt this time we regarded it as just another malware attack. Little did we know then that a few months later one of\r\nour colleagues would receive a call at 3 a.m. in the middle of the night. On the phone was an account manager,\r\nasking us to call a certain number as matter of urgency. The person at the end of the line was the CSO of a Russian\r\nbank. One of their systems was alerting that data was being sent from their Domain Controller to the People’s\r\nRepublic of China.\r\nUp to 100 financial institutions have been hit.Total financial losses could be as a high as\r\n$1bn#TheSAS2015#Carbanak\r\nTweet\r\nWhen we arrived on site we were quickly able to find the malware on the system. We wrote a batch script that\r\nremoved the malware from an infected PC, and ran this script on all the computers at the bank. This was done\r\nmultiple times until we were sure that all the machines were clean. Of course, samples were saved and through\r\nthem we encountered the Carbanak malware for the first time.\r\nModus Operandi\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 1 of 6\n\nFurther forensic analysis took us to the point of initial infection: a spear phishing e-mail with a CPL attachment;\r\nalthough in other cases Word documents exploiting known vulnerabilities were used. After executing the\r\nshellcode, a backdoor based on Carberp, is installed on the system. This backdoor is what we know today as\r\nCarbanak. It is designed for espionage, data exfiltration and remote control.\r\nEach bank robbery took 2-4 months, from infecting the first computer to cashing the money out\r\n#TheSAS2015 #Carbanak\r\nTweet\r\nOnce the attackers are inside the victim´s network, they perform a manual reconnaissance, trying to compromise\r\nrelevant computers (such as those of administrators’) and use lateral movement tools. In short, having gained\r\naccess, they will jump through the network until they find their point of interest. What this point of interest is,\r\nvaries according to the attack. What they all have in common, however, is that from this point it is possible to\r\nextract money from the infected entity.\r\nThe gang behind Carbanak does not necessarily have prior knowledge of the inner workings of each bank\r\ntargeted, since these vary per organisation. So in order to understand how a particular bank operates, infected\r\ncomputers were used to record videos that were then sent to the Command and Control servers. Even though the\r\nquality of the videos was relatively poor, they were still good enough for the attackers, armed also with the\r\nkeylogged data for that particular machine to understand what the victim was doing. This provided them with the\r\nknowledge they needed to cash out the money.\r\nCash out procedures\r\nDuring our investigation we found several ways of cashing out:\r\nATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then\r\ncollected by mules; the SWIFT network was used to transfer money out of the organisation and into criminals’\r\naccounts; and databases with account information were altered so that fake accounts could be created with a\r\nrelatively high balance, with mule services being used to collect the money.\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 2 of 6\n\nInfections and losses\r\nSince we started investigating this campaign we have worked very closely with the law enforcement agencies\r\n(LEAs) tracking the Carbanak group. As a result of this cooperation we know that up to 100 targets have been hit.\r\nWhen it comes to financial institutions, In at least half of the cases the criminals were able to extract money from\r\nthe infected institution. Losses per bank range from $2.5 million to approximately $10 million. However,\r\naccording to information provided by LEAs and the victims themselves, total financial losses could be as a high as\r\n$1 billion, making this by far the most successful criminal cyber campaign we have ever seen.\r\nLosses from #Carbanak per bank range from $2.5 million to approximately $10 million #TheSAS2015\r\nTweet\r\nOur investigation began in Ukraine and then moved to Moscow, with most of the financial entities targeted by the\r\ngroup located in Eastern Europe. However thanks to KSN data and data obtained from the Command and Control\r\nservers, we know that Carbanak also targets victims in the USA, Germany and China. Now the group is expanding\r\nits operations to new areas. These include Malaysia, Nepal, Kuwait and several regions in Africa, among others.\r\nThe group is still active, and we urge all financial organizations to carefully scan their networks for the presence\r\nof Carbanak. If detected, report the intrusion to law enforcement immediately.\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 3 of 6\n\nFor a full description of the campaign, IOCs and list of infections please see our report.\r\nTo check your network for Carbanak’s presence, you can also use the open IOC file available here.\r\nFAQ\r\nWhat is Carbanak?\r\nCarbanak is the name we use for an APT-style campaign targeting (but not limited to) financial institutions. The\r\nmain difference with other APT attacks is that attackers do not see data but money as their primary target. We say\r\nAPT-like, however the attack is not strictly speaking Advanced. Strictly speaking, the main feature defining the\r\nattackers is Persistence.\r\nWe name the backdoor Carbanak since it is based on Carberp and the name of the configuration file is “anak.cfg”.\r\nWhat are the malicious purposes of this campaign?\r\nThe attackers infiltrate the victim´s network looking for the critical system they can use for cashing money out.\r\nOnce they have stolen a significant amount of money (from 2.5 to 10 MM USD per entity), they abandon the\r\nvictim.\r\nWhy do you think it is significant?\r\nBanking entities have always been a primary target for cybercriminals. However it was almost always through\r\ntheir customers. This time attackers are targeting financial entities directly in an unprecedented, determined,\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 4 of 6\n\nhighly professional and coordinated attack, and using any means from the target to cash as much money out as\r\npossible, up to an apparently auto-imposed limit.\r\nCan you explain the timeline of the campaign?\r\nAccording to what we know, the first malicious samples were compiled in August, 2013 when the cybercriminals\r\nstarted to test the Carbanak malware. The first infections were detected in December, 2013.\r\nOn average, each bank robbery took between two and four months, from infecting the first computer at the bank’s\r\ncorporate network to cashing the money out.\r\nWe believe that the gang was able to successfully steal from their first victims during the period of February-April\r\n2014. The peak of infections was recorded in June 2014.\r\nCurrently the campaign is still active.\r\nWhy didn´t you make the details public until now?\r\nSince we started working on this campaign we have collaborated with the different LEAs involved in the\r\ninvestigation and helped them as much as possible. As it remains an open investigation, we were asked not to\r\nshare any details until it was safe to do so.\r\nHave you reached victims and Computer Emergency Response Teams (CERTs) in those countries\r\nwhere you have detected the incidents?\r\nYes, this investigation turned into a joint operation between Kaspersky Lab’s Global Research and Analysis Team\r\nand international organizations, national and regional law enforcement agencies and a number of Computer\r\nEmergency Response Teams (CERTs) worldwide.\r\nOne of our main goals was to disseminate our knowledge of the campaign and IOCs among all detected and\r\npotential victims. We used national CERTs and LEAs as the distribution channel.\r\nHow did you contribute to the investigation?\r\nWe’re helping to assist in investigations and countermeasures that disrupt malware operations and cybercriminal\r\nactivity. During the investigations we provide technical expertise such as analyzing infection vectors, malicious\r\nprograms, supported Command \u0026 Control infrastructure and exploitation methods.\r\nHow was the malware distributed?\r\nAttackers used spear phishing emails with malicious attachments against employees of the targeted financial\r\ninstitutions, in some cases sending them to their personal email addresses. We believe the attackers also used drive\r\nby download attacks, but this second assumption is still not 100% confirmed.\r\nWhat is the potential impact for victims?\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 5 of 6\n\nBased on what the attackers stole from victims, a new victim faces potential losses of up to 10 million $. However\r\nthis figure is arbitrary based on what we know: nothing limits the potential loss once an institution is infected.\r\nWho are the victims? What is the scale of the attack?\r\nVictims are mainly institutions in the financial industry; however we have also found traces of infections in POS\r\nterminals and PR agencies. For a sense of the scale of the attack please see the different charts and maps we\r\nprovide in our report.\r\nAs with many malware campaigns there are a variety of companies/individuals analyzing the malware, resulting in\r\nrequests to the Command and Control server. When we analyze those servers, all we see are the IPs and possibly\r\nsome additional information. When this additional information is not present, and when the IP cannot be traced\r\nback to its owner, we mark it as an infection.\r\nBased on this approach our analysis concludes that Russia, the US, Germany and China are the most affected\r\ncountries in number of traces of infection (IP addresses).\r\nHow are corporate users protected against this type of attack? Does Kaspersky Lab protect their\r\nusers?\r\nYes, we detect Carbanak samples as Backdoor.Win32.Carbanak and Backdoor.Win32.CarbanakCmd.\r\nAll Kaspersky Lab’s corporate products and solutions detect known Carbanak samples. To raise the level of\r\nprotection, it is recommended to switch on Kaspersky’s Proactive Defense Module included in each modern\r\nproduct and solution.\r\nWe also have some general recommendations:\r\nDo not open suspicious emails, especially if they have an attachment;\r\nUpdate your software (in this campaign no 0days were used);\r\nTurn on heuristics in your security suites, this way it is more likely that such new samples will be detected\r\nand stopped from the beginning.\r\nSource: https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nhttps://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/" ], "report_names": [ "68732" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433968, "ts_updated_at": 1775791873, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e1e88bfe3d6b5b483692d31f0518c4571bd542ee.pdf", "text": "https://archive.orkl.eu/e1e88bfe3d6b5b483692d31f0518c4571bd542ee.txt", "img": "https://archive.orkl.eu/e1e88bfe3d6b5b483692d31f0518c4571bd542ee.jpg" } }