New Leads Connect Carbanak Cyber-gang with a Russian Data Security Firm
The journalist Brian Krebs and security researcher Ron Guilmette have found evidence that ties a Russian-based cyber-security firm and its 28-year-old CEO with the operations of the Carbanak cyber criminals.
Last year, the security research firm Kaspersky Labs released a report on the activity of a group of cyber criminals who used the Carbanak malware to infiltrate up to 100 banks from all around the world. Kaspersky estimated that the thieves had managed to steal around $1 billion/ €876.7 million. The cyber-gang decided to lay low after the release of the report, but since then they have become active once again with security researchers detecting several waves of attacks. In their latest attempt to steal even more money, the Carbanak cybercriminals expanded their targets beyond banks by adding the budgeting and accounting departments of other types of companies.
Investigators Focus on the Domains Used by Carbanak
By taking a look at the registration records of the sites used by the Carbanak cyber-gang to distribute their malware infection, the security researcher Ron Guilmette uncovered several striking similarities. For example, the 'WHOIS' records of the domains weekend-service[dot]com, coral-trevel[dot]com, and freemsk-dns[dot]com, show that they were registered under a Chinese company called Xicheng Co. All three domains use "williamdanielsen@yahoo.com" as a contact address and the same phone and fax numbers – 1066569215 and 1066549216, with either a Chinese or a US international code prefix.
ThreatConnect, a threat intelligence provider, used this information to discover that a total of 484 domains have been registered to either the same email address or to one of 26 other emails that use the same phone and fax numbers and Chinese company. ThreatConnect stated that 304 of those domains have been used for the distribution of malware threats in Carbanak attacks.
Following the Breadcrumbs Leads to Infocube
Among the still dormant domains, the journalist Brian Krebs found the website "cubehost[dot]biz," which according to its records, is registered to Artem Tveritinov, a 28-year-old Russian from Perm and the CEO of the security firm Infocube (also spelled Infokube). Mr. Krebs' investigation states that the cubehost[dot]biz website is owned by a sister company of Infocube. In his email correspondence with Brian Krebs, Mr.Tvertinov denied any connections with the domain and stated that his personal information had been stolen and then used for the registration of the website.
Continuing with his research, Mr. Krebs uncovered that quite a few of the domain names associated with the distribution of the Carbanak malware are hosted in Internet address space that is assigned to Cubehost. Looking through the registration records of the whole block of IP addresses, revealed a physical address in Ras al Khaimah, one of the emirates of the United Arab Emirates (UAE). The email listed for any abuse reports is info@cubehost.biz.
Ties Between Carbanak and Other Malware Attacks
The Internet address space that is apparently assigned to Mr. Tveritinov, and his company has not been used solely for the distribution of Carbanak, according to Mr. Guilmette. Many domains also hosted on this IP block were employed as controllers during the Citadel online banking malware attacks. All of these domains have the Xicheng Co company listed in their 'WHOIS' records. The name of this Chinese company can also be found in the registration records of domains that were part of the 2006 Sinowal banking Trojan heists.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.