Carbanak Banking Malware

12345056663?profile=RESIZE_180x180The banking malware known as Carbanak has been observed to be used in ransomware attacks with updated tactics.  The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness.  Carbanak returned in November 2023 through new distribution chains and has been distributed through compromised websites to impersonate various business-related software.


Some impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.  Carbanak, detected in use since at least 2014, is known for its data exfiltration and remote control features. Starting off as banking malware, it has been used by the FIN7 cybercrime syndicate.[1]

In the latest attack chain, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.  The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023.  This year, 4,276 cases have been reported, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."

Data shows that industrials (33%), consumer cyclical (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.  As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape shortly.


According to investigators, the total number of attacks has surpassed 4,000 which marks a massive increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year.  The spike in ransomware attacks in November 2023 has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.

“The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."


While the shift results from a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft investigators reportedly disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.

The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.  The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) for privilege escalation.


This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  Call for assistance.  For questions, comments, a demo, or assistance, please get in touch with the office directly at 1-844-492-7225 or   





Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings



E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!