zaterdag 27 juni 2015

Carbanak malware and the FSB connection

After the discovery of the Carbanak malware, indicators connected to the malware were released.
One of them being the domain: 
It turned out later on that this specific domain was pointing towards the web server of the FSB (IP:

Several security researchers noticed this and publicly reported it.

1) At first hand the general opinion was that the criminals changed the domain to the FSB web server once their campaign was exposed, as some sort of easter egg. Funny, probably not that smart, but could be possible.

2) The FSB confiscated the domain and pointed it towards its web servers for sinkholing purposes. Although this option does not necessarily follow the general rules of sinkholing, especially not when you direct the traffic straight to your main web server.
The main web server handler your web traffic, pointing an APT campaign towards it could result in a DDoS effect in which your main web site becomes unreachable, something you'd want to circumvent when sinkholing. The main purpose of the web server is serving the website, it would be practicle to choose a completely different set up for sinkholing purpose.

3) 3th and last option seemed unlikely but it could have been possible that the FSB made a huge mistake and by accident or neglect was involved in this whole Carbanak campaign from the beginning. Neglecting to use dedicated untraceble infrastructure, or maybe pressuring the fraudsters to relay back their activities towards the FSB. This option is ruled out by most, especially from the RU countries. (*wink*)


As a starting point it was always assumed the domain started to point towards the FSB webserver after the Carbanak APT attack was exposed. Some digging into databases now revealed the domain started point to the FSB web server close to its registration date.
The domain was registrated on 28-10-2014.

On 4-11-2014 the domain was first (in the wild) seen pointing to
VirusTotal has an entry of pointing to on 5-11-2014.

It turns out the domain has been pointing to the FSB web server all along! The Kaspersky PDF about this attack tells us the domain had been pointing towards the IP address Our research connects this IP only occasionally to this domain name (For example this one VirusTotal entry where the domain is spotted poiting to on 29-10-2014).
A slightly different domain: has been seen pointing to all along.

When we look at the chain of events above, we can conclude that the attackers used this FSB IP adress for the domain since the beginning. They even changed the IP address several times back towards the FSB IP address. Keeping this in mind the likely hood that pointing the domain towards the FSB IP address seemed of persistent routine and not as a randomly made up joke.
These are some fascinating new insights that have to be kept in mind.