Skip to content

The Source Code for the Most Dangerous Banking Malware Has Been Found

Posted by Geraldine Hunt on Tue, May 28th, 2019

Imagine what it would be like to physically stand in front of multiple ATMs and rob a bank of $350,000. That’s what a gang of cybercriminals actually did back in 2016 after they infected several ATMs with malware.  The machines were located in Taiwan and Thailand and their malevolent efforts caused the machines to spit out a steady stream of cash to the gang members.  While ATM hackers have traditionally relied on tactics such as stealing payment card numbers and online banking credentials to steal cash, this group went straight to the source, the bank itself in order to pilfer cash from the machines.   It was all made possible thanks to a batch of malicious code called Carbanak.

The Source Code that Was Almost Never Found

Imagine if you were a police detective and the smoking gun for one of the most notorious crimes ever committed had been submitted at your station, only to sit there for two years.  Sounds frustrating, doesn’t it?  Well, that scenario actually occurred in the cybersecurity community when one of the world’s most dangerous malware strains developed by one of the most notorious hacker organizations was uploaded to VirusTotal and no one noticed.  VirusTotal is a website created by a Spanish security company that was launched in 2004 and later acquired by Google in 2012.  The site offers an online free service that analyzes files and URLs for viruses, worms, trojans and malicious code.  It does this by aggregating multiple anti-malware products into a single scanning engine.  By doing so, users can upload files that they think are suspicious or files marked that may have been flagged as false positives by another antivirus solution.

What is Carbanak

There are a number of infamous criminals that have lasting name recognition such as Al Capone, Bonnie and Clyde, Jessie James, etc.  If you are in the cybersecurity field, there may not be a more scandalous bunch than FIN7.   This eastern European gang was a highly professional and disciplined unit.  It developed its own malware tools and financed extensive research, including a testing division, that would help its malicious tools evade detection by antivirus scanners and authorities.  Its list of targets is like a whose-who of global brands that include SAKS Fifth Avenue, Trump Hotels, Whole Foods, and Omni Hotels and Resorts.  There was also an industry that they are famous for- the banking industry. 

If you think the ATM heist was impressive, a report published by the New York Times back in 2015 outlined how FIN7 stole as much as $1 billion from more than 100 banks and financial companies from 30 nations.  All of these attacks were attributed to Carbanak, a malware strain created by the group.  Their attack methodology was referred to as “the most sophisticated attack the world has seen to date.”  Banks in the United States, Japan, Russia, and Europe fell victim to these attacks. 

What Carbanak did was create a back door into the bank’s network.  Carbanak was designed to infect the machines used by banking personnel through spear-phishing emails to hundreds of employees at various banks.  Once infected, the hackers had command and control of the machines. Members of FIN7 then monitored and studied the protocols and procedures that bank employees used to make bank transfers.  They then mimicked these practices and would then transfer money under the employee accounts to fake bank accounts or ATMs that they were monitoring.  In the case of the ATMs, they would designate a specific time that the ATM would spit out cash so that someone from the team would be there to retrieve the money.  FIN7 went about these tactics for 6 years, constantly adapting Carbanak in order to stay ahead of cyber defensive measures.  

The Find

As mentioned, the Carbanak source code resided inconspicuously for two years until a team of researchers discovered the find and began analyzing the files.  The source code was made up of 755 files that consisted of over 100,000 lines of code, making up a total of 20 MB.  After 500 hours of in-depth analysis, it was found that the malware was far more sophisticated than ever thought.  Analysts referred to it as the “Cadillac of malware in a sea of golf carts”.  Why it took so long to recognize the uploaded source code is a mystery.  With so many millions of files uploaded to VirusTotal every week for analysis, it is understandable why this illustrious malware strain that was so good at disguising itself and evading discovery went unrecognized for so long.

The Aftermath

Several key members of FIN7 were arrested last year and charged with 26 felonies.  Charges were filed in a U.S. District Court in Seattle.  The group has dispersed itself to escape law enforcement but is still active.  The chain of events shows that once again, it is imperative to have an effective modern-day email security gateway in order to protect your users from phishing emails that are cleverly designed to deliver sophisticated malware such as Carbanak. 

Related Articles

Never Miss a Blog Post

Sign-up for email updates...

Get Your 14 Day Free Trial

Talk to Our Email and DNS Security Team

Call us on UK/EU +44 203 808 5467

Contact Us