COPYCATS: FROM APTS TO CRIMINALS

Sergey LozhkinSenior Security Researcher Kaspersky Lab

AGENDA

SkimerCarbanakMETEL

GCMANAPTs??????

GCMAN

200 USD PER MINUTE

BE PERSISTENT

• 2 months of tries on Sat

— What was your pw?— Sonic17

TROUBLE IN THOUGHT

INFO−.ASP

Ads Web

server

GCMAN ATTACK

Corporate online

banking webserver

Online banking

DBAdmin’s

WorkstationsProcessing Connection

server

GCMAN SUMMARY

1. Knocking to front door2. Avoid whitelisting

techs3. >1 year persistence

CARBANAK

CARBANAK SUMMARY

1. Global criminals’ ATP2. Spear-phishing is

everything 3. It is all about MONEY

METEL

Source http://ageofgeeks.com/wp-content/uploads/2015/04/furious-7-paul-walker.jpg

METEL – TRANSACTIONS ROLLBACK

CHALLENGE

WIPE PATERN

RAND 4096 ALWAYS

METEL SUMMARY

1. IOCs’ horror 2. Spear-phishing is

everything 3. It is all about MONEY

SKIMER

SKIMER

SKIMER–XFS SERVICE PATCH

SKIMER–SERVICE PATCHED

ATM INFECTOR –MAGIC CARD

CARD 1 – INTERFACE COMMANDSCARD 2 – TRACK 2 HARDCODED

SKIMER SUMMARY

1. Silent2. Attack on ATM users3. Attack on banks

LAZARUS

LAZARUS SUMMARY

1. Active from 20092. Attacks on everything3. New group that made

1bln USD after Carba

7H@NK Y0U1

Sergey LozhkinPrincipal Security Researcher Kaspersky Lab