Carbanak银行病毒采用新的勒索战术

The banking malware known as Carbanak has been observed being used in ransomware attacks with updated tactics.

据观察，被称为Carbanak的银行恶意软件已被用于更新策略的勒索软件攻击。

"The malware has adapted to incorporate attack vendors and techniques to diversify its effectiveness," cybersecurity firm NCC Group said in an analysis of ransomware attacks that took place in November 2023.

网络安全公司NCC Group在对发生在2023年11月的勒索软件攻击进行分析时表示：“该恶意软件已经适应并整合了攻击供应商和技术，以使其效果多样化。”

"Carbanak returned last month through new distribution chains and has been distributed through compromised websites to impersonate various business-related software."

“Carbanak上个月通过新的分发渠道回归，并通过被侵入的网站进行分发，以冒充各种与业务有关的软件。”

Some of the impersonated tools include popular business-related software such as HubSpot, Veeam, and Xero.

一些被冒充的工具包括流行的业务相关软件，如HubSpot、Veeam和Xero。

Carbanak, detected in the wild since at least 2014, is known for its data exfiltration and remote control features. Starting off as a banking malware, it has been put to use by the FIN7 cybercrime syndicate.

Carbanak自2014年以来就在野外被发现，以其数据外泄和远程控制功能而闻名。最初是一种银行恶意软件，它被FIN7网络犯罪团伙所利用。

In the latest attack chain documented by NCC Group, the compromised websites are designed to host malicious installer files masquerading as legitimate utilities to trigger the deployment of Carbanak.

根据NCC Group记录的最新攻击链，被侵入的网站旨在托管伪装成合法实用工具的恶意安装程序文件，以触发Carbanak的部署。

The development comes as 442 ransomware attacks were reported last month, up from 341 incidents in October 2023. A total of 4,276 cases have been reported so far this year, which is "less than 1000 incidents fewer than the total for 2021 and 2022 combined (5,198)."

这一发展发生在上个月报告的勒索软件攻击达442起，较之前的10月份341起有所增加。今年迄今已报告总计4276起案件，比2021年和2022年总和（5198起）少了不到1000起。

The company's data shows that industrials (33%), consumer cyclicals (18%), and healthcare (11%) emerged as the top targeted sectors, with North America (50%), Europe (30%), and Asia (10%) accounting for most of the attacks.

该公司的数据显示，工业（33%）、消费类周期股（18%）和医疗保健（11%）成为最受攻击的行业，而北美（50%）、欧洲（30%）和亚洲（10%）占据大多数攻击。

As for the most commonly spotted ransomware families, LockBit, BlackCat, and Play contributed to 47% (or 206 attacks) of 442 attacks. With BlackCat dismantled by authorities this month, it remains to be seen what impact the move will have on the threat landscape for the near future.

至于最常见的勒索软件家族，LockBit、BlackCat和Play占442起攻击的47%（206起）。由于本月当局摧毁了BlackCat，因此目前尚不清楚此举将对近期威胁格局产生何种影响。

"With one month of the year still to go, the total number of attacks has surpassed 4,000 which marks a huge increase from 2021 and 2022, so it will be interesting to see if ransomware levels continue to climb next year," Matt Hull, global head of threat intelligence at NCC Group, said.

NCC Group的全球威胁情报负责人Matt Hull表示：“今年尚有一个月，攻击总数已超过4000起，这标志着与2021年和2022年相比的大幅增长，因此将来勒索软件水平是否继续攀升将令人关注。”

The spike in ransomware attacks in November has also been corroborated by cyber insurance firm Corvus, which said it identified 484 new ransomware victims posted to leak sites.

11月份勒索软件攻击的激增也得到了网络保险公司Corvus的证实，该公司称其发现了484名新的勒索软件受害者的信息被发布到泄露网站。

"The ransomware ecosystem at large has successfully pivoted away from QBot," the company said. "Making software exploits and alternative malware families part of their repertoire is paying off for ransomware groups."

“整个勒索软件生态系统已成功转向远离QBot，”该公司表示。“使软件漏洞利用和替代恶意软件家族成为他们技术手段的一部分正在为勒索软件组织带来回报。”

While the shift is the result of a law enforcement takedown of QBot's (aka QakBot) infrastructure, Microsoft, last week, disclosed details of a low-volume phishing campaign distributing the malware, underscoring the challenges in fully dismantling these groups.

这种变化是由于上周Microsoft对QBot（又称QakBot）基础设施进行执法打击的结果，但该公司也披露了一次低规模网络钓鱼活动的细节，该活动传播了该恶意软件，突显了彻底摧毁这些组织的挑战。

The development comes as Kaspersky revealed Akira ransomware's security measures prevent its communication site from being analyzed by raising exceptions while attempting to access the site using a debugger in the web browser.

Kaspersky公司披露，Akira勒索软件的安全措施通过在尝试使用Web浏览器中的调试器访问网站时引发异常，防止了对其通信站点的分析。

The Russian cybersecurity company further highlighted ransomware operators' exploitation of different security flaws in the Windows Common Log File System (CLFS) driver – CVE-2022-24521, CVE-2022-37969, CVE-2023-23376, CVE-2023-28252 (CVSS scores: 7.8) – for privilege escalation.

这家俄罗斯网络安全公司进一步强调了勒索软件运营商对Windows Common Log File System（CLFS）驱动程序的多个安全漏洞的利用，包括CVE-2022-24521、CVE-2022-37969、CVE-2023-23376、CVE-2023-28252（CVSS评分：7.8），用于提升权限。

原文始发于微信公众号（知机安全）：Carbanak银行病毒采用新的勒索战术