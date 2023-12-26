The banking malware known as Carbanak it was seen to be used in ransomware attacks with updated tactics to encrypt data.

How the Carbanak banking malware evolved

“Malware has adapted to incorporate attack providers and techniques to diversify its effectiveness“, has declared cybersecurity firm NCC Group in an analysis of ransomware attacks that occurred in November 2023, adding “Carbanak returned last month through new distribution chains and was distributed through compromised sites to pretend to be various business-related software“.

Some of the imitated tools include popular business-related software such as HubSpot, Veeam and Xero.

Carbanakwhose existence has been revealed in the great sea of ​​the internet since at least 2014, it is known for its data exfiltration and remote control capabilities; born as banking malware, it was used by the FIN7 crime syndicate.

In the latest attack chain documented by NCC Group, compromised websites are designed to host malicious installation files disguised as legitimate utilities to start Carbanak distribution.

The development comes as 442 ransomware attacks were reported last month, compared to 341 incidents in October 2023; in total, 4,276 cases have been reported so far this year, “fewer than 1,000 incidents fewer than the total for 2021 and 2022 combined (5,198).”

Company data shows that industrials (33%), consumer cyclicals (18%) and healthcare (11%) have emerged as the most targeted sectorswith North America (50%), Europe (30%), and Asia (10%) accounting for the majority of attacks.

As for the most commonly detected ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks to be precise) of the 442 attacks; with BlackCat dismantled by authorities this month, it remains to be seen what impact this move will have on the threat landscape in the near future.

“With still a month left in the year, the total number of attacks has surpassed 4,000, which marks a huge increase over 2021 and 2022, so it will be interesting to see if ransomware levels continue to rise next year,” said Matt Hull, global head of threat intelligence at NCC Group.

The increase in ransomware attacks in November was also confirmed by cyber insurance company Corvus, which claimed to have identified 484 new ransomware victims posted on leak sites.

“The ransomware ecosystem as a whole has successfully moved away from QBot“, has declared the company. “The inclusion of software exploits and alternative malware families in their repertoire is yielding positive results for ransomware groups“.

While change is the result of a shutting down the QBot infrastructure (aka QakBot) by law enforcement, Microsoft, last week, has revealed of the details about a low-profile phishing campaign distributing the malware, underscoring the challenges in completely dismantling these groups.

Further development takes place while Kaspersky has revealed that the security measures of the Akira ransomware prevent the analysis of the communication site by raising exceptions when attempting to access the site using a debugger in your web browser.

The Russian cybersecurity company also has highlighted Ransomware operators' exploitation of several security vulnerabilities in the driver Windows Common Log File System (CLFS) – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for the elevation of privileges (means system administrator level privileges).