Banking malware is called kabanak It has been observed being used in ransomware attacks and the strategy has been updated.
“The malware has adapted to attack vendors and techniques to diversify its effectiveness,” cybersecurity firm NCC Group said in an analysis of a November 2023 ransomware attack.
“Carbanak returned last month via a new distribution chain and was distributed via compromised websites to impersonate various business-related software.”
Some simulation tools include popular business-related software such as HubSpot, Veeam, and Xero.
Carbanak has been found in the wild since at least 2014 and is known for its data exfiltration and remote control capabilities. It was originally a banking malware and was later used by the FIN7 cybercriminal group.
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators, and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
In the latest attack chain documented by NCC Group, compromised websites were designed to host malicious installer files disguised as legitimate utilities to trigger the deployment of Carbanak.
This development comes as 442 ransomware attacks were reported last month, compared with 341 incidents in October 2023. So far this year, 4,276 ransomware attacks have been reported, “less than 1,000 incidents less than the total number of incidents in 2021 and 2022 (5,198)”.
The company’s data shows that industrial (33%), cyclical consumer goods (18%) and healthcare (11%) have become the top target industries, including North America (50%), Europe (30%) and Asia (10%) accounts for most of the attacks.
As for the most common ransomware families, LockBit, BlackCat and Play accounted for 47% of the 442 attacks (or 206 attacks). With BlackCat being dismantled by authorities this month, it remains to be seen what impact this move will have on the threat landscape in the near future.
It is worth paying attention to whether the level of global ransomware will continue to rise. ” said the head of threat intelligence at NCC Group.
Cyber insurance company Corvus also confirmed a spike in ransomware attacks in November, saying it discovered 484 new ransomware victims posted to leaked websites.
“The entire ransomware ecosystem has successfully moved away from QBot,” the company said. “Incorporating software vulnerabilities and alternative malware families into their repertoire will pay dividends for ransomware organizations.”
While this shift is the result of law enforcement dismantling QBot (aka QakBot) infrastructure, Microsoft last week revealed details of a small-batch phishing campaign that distributed malware, underscoring the challenge of completely disrupting these groups.
The development comes as Kaspersky revealed that Akira ransomware’s security measures prevented its communication website from causing an exception when trying to access the website using the debugger in the web browser.
The Russian cyber security company further highlights that ransomware operators exploit different security vulnerabilities in the Windows Common Logging File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE- 2023 -28252 (CVSS score: 7.8) – for privilege escalation.