According to a report of NCC Group, beginning in November 2023, new samples consistent with the infamous Carbanak backdoor were observed in the wild in connection with ransomware events. Carbanak was reportedly spread via impersonation of tools such as HubSpot, Veeam and Xero.
Carbanak is a fully-featured backdoor which enables the attacker to spawn a reverse shell and execute remote command on the compromise asset, ultimately enabling espionage, data exfiltration and/or deployment of further malware. Historically, Carbanak has been used by the Eastern European-nexus financially-motivated threat actors tracked as Carbanak, Anunak, Cobalt, and FIN7. It has been argued that these groups may be in fact a single threat actor due to the significant overlaps in tactics, techniques and procedures as well as victimology.
The findings NCC Group yielded are very interesting in connection to the threat landscape:
The very fact that Carbanak was observed in the wild again suggests the malware undergoes development;
Correlation with ransomware is in itself a new development which paves the way to an expanded risk exposure for targeted organizations, i.e. alongside the financial, reputational and data compromise impact, a ransomware may have broader ramifications in terms of advanced persistent threats;
Eastern European-nexus FIN7 (for simplicity, "FIN7" is used to represent the whole threat cluster) appears to be back with updated tradecraft, elevating the threat level for their typical targets, including point-of-sale systems, commerce, and retail operators.
The resurgence of Carbanak backdoor may be also correlated with the recent developments in the information stealer threat landscape with the low volume of Qbot-related events and the growth in deployment of other pieces of malware such as PikaBot and others. However, as has become evident, the alleged dismantlement of the Qbot infrastructure declared last August proved to be nothing more than a minor setback, as numerous Qbot events were reported in October and December.