ShadowTalk Update – 07.16.2018
July 16, 2018
In this week’s ShadowTalk, Digital Shadows’ Russian-speaking security specialist discovered files and source code allegedly related to the Carbanak organized criminal group. The Carbanak malware is a backdoor used by the Anunak (Carbanak) Group to infiltrate financial institutions and steal funds. Richard Gold and Simon Hall join Rafael Amado to discuss the implications for financial services from these revelations. We ask whether this leak represents a threat to organizations, and how businesses can best defend themselves from the techniques used by sophisticated financial criminal groups such as Carbanak. Listen to the latest podcast or read our blog to find out more.
Middle Eastern entities continue to attract cyber attacks
Two APT phishing campaigns have recently been targeting Middle Eastern institutions. Iranian APT group “Charming Kitten” has been linked to a phishing campaign that used a spoofed version of the website of Israeli cyber-security company ClearSky. Charming Kitten used the spoofed website to host login fields to harvest credentials, but the site was rendered offline within three hours of creation. Also during the past week, an APT spearphishing campaign targeted the Palestinian National Authority, along with other Middle Eastern entities. Malicious emails containing a decoy document were sent in conjunction with a malicious executable file. That campaign has not been attributed to a specific group, but there are several similarities to the work of cyber espionage group “Gaza Cybergang”. Given the political climate in the Middle East, comparable activity will likely occur for the medium- to long-term future (three months or at least a year).
Ransomware adopts cryptocurrency miner as alternative payload
A new variant of the Rakhni ransomware was reported on 05 Jul 2018 by cyber security company Kaspersky. Rakhni, first identified in 2013, uses emails containing weaponized documents to entice victims into inadvertently launching a malicious executable. However, the new variant also scans systems to determine the presence of a Bitcoin folder and confirm whether they have one or two logical processors. Depending on the victim’s machine, the malware would encrypt files and demand a ransom, install a cryptocurrency miner or deploy a worm to spread to additional devices. The incorporation of an alternative cryptocurrency payload into a traditionally ransomware-focused variant means that threat actors are still targeting cryptocurrencies, finding this method profitable and effective.