This article is more than 1 year old
Bank-heist malware's servers phone home to Russian spookhaus
Possible prank sees trojan that lifted $300 million suggest Kremlin as controller
Trend Micro researcher Maxim Goncharov says one of the world's most sophisticated and dangerous bank-robbing trojans is now pointing to Russia's Federal Security Service (FSB).
Goncharov says the Carbanak trojan's command and control servers now point to the FSB in what could be a joke or gaffe by malware authors.
Carbanak in February provided corporate network access from where attackers ripped out more than $300 million from more than 100 unnamed financial institutions around the world.
"I checked for other interesting details in the other indicators of compromise but didn't find anything related to this particular anomaly," Goncharov says in a post.
"I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service.
"It is also possible that the owner of the domain had done this as a prank."
Carbanak stole large amounts of money by granting attackers a beachhead on corporate networks.
From there scammers temporarily inflate customer bank balances, wiring off the extra cash before it could be detected by bank's 10-hourly account checks.
Criminals maintained access to banks for two years, utilising remote functions to force ATMs to spit cash to waiting gangs of thieves.
One Kaspersky customer lost US$10 million while another was fleeced $7.3 million through ATM withdrawals.
It is described as probably the "most sophisticated attack the world has seen", due to its very low profile and high impact.
Kaspersky says the financial damage could tip $900 million due to a series of $10 million transactions that are difficult to track. ®