Anunak:APT against financial institutions

Jump to navigation Jump to search

(Publication) Google search: [1]

Anunak:APT against financial institutions
Botnet Carberp, Qadars, Anunak (botnet)
Botnet/malware group
Exploit kits
Distribution vector
Campaign Anunak
Operation/Working group
Date 2014 / 2014-12-22
Editor/Conference Fox-IT
Link APT-against-financial-institutions2.pdf (Archive copy)
Author Fox-IT, Group-IB
Type Tech report


This report describes the details and type of operations carried out by an organized criminal group that focuses on financial industry, such as banks and payment providers, retail industry and news, media and PR companies. The group has its origin in more common financial fraud including theft from consumer and corporate bank accounts in Europe and Russia, using standard banking malware, mainly Carberp.

After the arrests of Carberp group members in Russia, some of the members were out of work, however, their experience gained from many years of crime has allowed them to enter a new niche. One of the members quickly realized that they can steal $2000 a thousand times, and earn $2 million, but also they can steal it in one time and immediately get it with much less effort. The anti-fraud measures employed by banks has pushed the criminals to search for new ways to make money with less barriers, compromising and modifying or taking data from banks, payment providers, retail and media/ PR companies are some of these methods.

From 2013 an organized criminal group intensified its activity focused on banks and electronic payment systems in Russia and in the post-Soviet space. The key is that fraud occurs within the corporate network using internal payment gateways and internal banking systems. Thus money is stolen from the banks and payment systems, and not from their customers. While this is their main and most lucrative activity, the gang has also ventured into other areas including the compromise of media groups and other organizations for industrial espionage and likely a trading advantage on the stock market. In cases where the group got access to the government agency networks their aim was espionage related. The organized criminal group backbone are citizens of both Russian and Ukrainian origin, but the group also sources a number of mainstream and specialized services from individuals and groups originating from Russia, Ukraine and Belarus.

The average sum of theft in the Russian territory and in the post-Soviet space is $2 million per incident. Since 2013 they have successfully gained access to networks of more than 50 Russian banks and 5 payment systems, and 2 of these institutions were deprived of their banking license. To date the total amount of theft is over 1 billion rubles (about 25 million dollars), most of it has been stolen in the second half of 2014.

The average time from the moment of penetration into the financial institutions internal network till successful theft is 42 days. As a result of access to internal bank networks the attackers also managed to gain access to ATM management infrastructure and infect those systems with their own malicious software that further allows theft from the banks ATM systems on the attackers command.

Since 2014 the organized criminal group members began actively taking an interest in US and European based retail organizations. While they were already familiar with POS malware and compromising POS terminals, the widespread media attention around the Target breach and other related breaches were the reason for this move. While the scale of breaches in this industry is still relatively low, with at least 3 successful card breaches and over a dozen retailers compromised this activity is quickly becoming a lucrative endeavor for this group.

To penetrate into the internal networks this organized criminal group employs targeted emailing (spear phishing) and infections sources from other botnets. This is the main reason why the group is keeping in touch with owners of large botnets. Since August 2014 the group began to create their own large botnet using a mass emailing, but not using typical exploit driveby infections. This last move is likely to reduce the need for external contacts.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2014BFR4725,
   editor = {Fox-IT},
   author = {Fox-IT, Group-IB},
   title = {Anunak:APT against financial institutions},
   date = {22},
   month = Dec,
   year = {2014},
   howpublished = {\url{}},