Anti-Malware , Cybercrime , Cybercrime as-a-service

Spain Busts Alleged Kingpin Behind Prolific Malware

$1 Billion in Losses Tied to Gang Wielding Carbanak and Cobalt Malware
Spain Busts Alleged Kingpin Behind Prolific Malware
A Spanish National Police van. (Photo: Contando Estrelas via Wikemedia/CC)

The alleged leader of a cybercrime gang tied to more than $1 billion in losses has been arrested in Alicante, Spain.

See Also: Live Webinar | Key Drivers to Enable Digital Transformation in Financial Services

Authorities say the suspect - named only as "Denis K." - is a Ukrainian national. He's been accused of running a cybercrime gang that developed Carbanak and Cobalt malware and used it to infect numerous banks' networks in Russia, as well as in Belarus, Azerbaijan, Kazakhstan, Ukraine and Taiwan, to alter bank balances and help perpetrate campaigns that led to massive financial losses worldwide.

Authorities say that each of the group's attack campaigns resulted in thefts of up to €10 ($12.4 million).

Europol, the EU's law enforcement intelligence agency, helped to coordinate an investigation led by the Spanish National Police, with assistance from Europol, the FBI, Interpol, authorities in Romania, Belarus and Taiwan, as well as private cybersecurity firms.

Officials say the gang - known as both the "Anunak" and "Carbanak" gang, referring to two strains of malware developed by the group - has been tied to attacks involving both Carbanak as well as Cobalt malware. Europol as well as security firm Trend Micro had previously said that while there were "striking similarities" between the Carbanak and Cobalt malware attacks, it wasn't clear if they were the work of the same group.

Anunak malware first appeared in 2013, and later developed into a more sophisticated strain called Carbanak, which remained in use through at least 2016 (see Sophisticated Carbanak Banking Malware Returns, With Upgrades).

After that, the group began using Cobalt, which was based on penetration testing called Cobalt Strike, authorities say. Cobalt was first spotted by security researchers after it was used to attack ATM manufacturers and European banks in the summer of 2016.

Versions of the gang's malware have included the ability to launch "jackpotting" or cash-out attacks designed to make ATMs dispense all of their cash.

Source: Europol

Mafia Supplies Mules

Spanish National Police say the operation was led by Denis K., who worked with three other individuals that he met via online forums, but with whom he had no personal contact.

But keeping the wider operation running required help from many others (see Cybercrime as a Service: Tools + Knowledge = Profit).

"Despite the high technical level of its members, the cybercriminals needed the support of other criminal groups to coordinate the work of the 'mules' in charge of withdrawing cash from ATMs that it attacked in different countries," Spanish National Police say.

Russian mafia gangs supplied the required mules until 2015, but since 2016, the mules have been supplied by Moldovan mafia gangs, police say (see Don't Be a Money Mule for the Holidays).

Spanish National Police say the gang targeted with malware ATMs in Madrid's city center in the early part of 2017, extracting about €500,000 ($620,000) in cash, "using cards associated with current [checking] accounts with fraudulently modified balances and belonging to banks of Russia and Kazakhstan."

Carlos Yuste, a Spanish police chief inspector who helped lead the investigation, suspects the gang will be unable to continue its operations following the arrest of its leader.

"The head has been cut off," Yuste tells Bloomberg. "I'm sure there are other operations like this, but not many."

European Banking Federation Assists

The Brussels-based European Banking Federation, which is composed of 32 national banking associations and which represents the interests of 4,500 EU banks, assisted with the investigation.

"This is the first time that the EBF has actively cooperated with Europol on a specific investigation," says Wim Mijs, CEO of the EBF. "It clearly goes beyond raising awareness on cybersecurity and demonstrates the value of our partnership with the cybercrime specialists at Europol."

Mijs adds: "Public-private cooperation is essential when it comes to effectively fighting digital cross border crimes like the one that we are seeing here with the Carbanak gang."

Spear-Phishing Email Campaigns

The cybercrime group often targeted bank employees via spear-phishing emails that appeared to come from legitimate companies, and which arrived with malicious Microsoft Word documents or .RTF files, seeking to exploit known vulnerabilities on their system, authorities say. If victims opened the attachment and their PC became infected, the malware would give attackers remote-control access to the victim's machine.

"Once downloaded, the malicious software allowed the criminals to remotely control the victims' infected machines, giving them access to the internal banking network and infecting the servers controlling the ATMs," according to the EBF. "This provided them with the knowledge they needed to cash out the money."

Money Laundering via Cryptocurrency

Spanish National Police say the stolen cash was often transferred into bitcoin cryptocurrency using cryptocurrency exchanges in Russia and Ukraine, and that some of these bitcoins were transferred to accounts operated by Dennis K., who had amassed about 15,000 bitcoins, currently worth $119 million, by the time of his arrest.

"The detainee used financial platforms in Gibraltar and the United Kingdom to load prepaid cards with this cryptocurrency that he could use in Spain for the purchase of all types of goods and services - including vehicles and homes," Spanish National Police say. "Also, the detainee had a huge bitcoin mining infrastructure that he would use as a means of money laundering."

The estimated $1 billion in losses tied to the Carbanak group's activities represents a mix of fraudulent wire transfers, using banking Trojans installed on PCs, as well as jackpotting attacks involving attackers infecting ATMs with their malware and making them dispense cash on demand, according to information previously released by Moscow-based security firm Kaspersky Lab (see ATM Hackers Double Down on Remote Malware Attacks).

Source: Europol

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.