Carbanak APT Eng

Summary:

The text you've described appears to be part of a larger report or analysis related to cybersecurity threats, specifically focusing on the Carbanak malware group. This malware has been active since at least 2013 and is known for its targeted attacks against financial institutions globally. The information provided includes details about RDP (Remote Desktop Protocol) communications with specific IP addresses, HTTP/GET requests made to domains like "datsun-auto.com," and mentions of TLP (Traffic Light Protocol) as White, indicating that the information can be shared publicly without compromising sensitive data. Here's a breakdown of what you've mentioned: 1. **Carbanak Malware:** Carbanak is a sophisticated cyber-espionage group known for its targeted attacks against financial institutions using advanced malware and techniques. The provided samples, including various hashes, are likely part of the malware used by this group during their operations. These include strings such as "C265D1B8F97A0E34A9AFEDEBEE5EC10D" and others, which could represent different variants or strains of the Carbanak malware. 2. **RDP Communications:** The text mentions RDP communications using specific IP addresses like 185.10.56.59 and 37.235.54.48. These are used for remote desktop connections, which can be a significant point of entry for malware attacks targeting sensitive information stored on these desktops. 3. **HTTP/GET Requests:** Specific URLs ending in ".5" or other extensions are mentioned as being requested via HTTP/GET method to domains such as "datsun-auto.com." These requests might involve various paths that could potentially reveal more about the malware's behavior, its targets, and how it interacts with systems during an attack. 4. **TLP: White:** The TLP (Traffic Light Protocol) is indicated as White, which means this information can be shared publicly without compromising sensitive data. This protocol helps in classifying the level of sensitivity or criticality of cybersecurity information to guide sharing decisions based on the need-to-know basis. 5. **Contact Information:** For any inquiries related to these details, one can contact intelreports@kaspersky.com with the appended numbers 35 or 36. This is likely a customer support email for Kaspersky Lab's cybersecurity services and research. This type of detailed analysis provided in the text is common in reports from reputable cybersecurity firms like Kaspersky Lab, which are dedicated to providing insights into sophisticated cyber threats and helping organizations and individuals protect themselves against such attacks. The hashes mentioned might be used for identifying malware samples or tracking their distribution across networks. In summary, this information is part of a comprehensive report that outlines the various aspects of a potential cybersecurity incident involving Carbanak malware. It includes technical details about communications protocols, HTTP requests, and specific identifiers associated with malware strains. The TLP: White notice ensures that this information can be shared broadly within the cybersecurity community without posing a risk to sensitive data or systems.

Details:

**Executive Summary:** From late 2013 onwards, an unknown group of cybercriminals have been targeting several banks and financial institutions worldwide, leading to a series of sophisticated cyber attacks. These attacks share common modus operandi, suggesting a coordinated effort by the same actors. Estimated cumulative losses from these incidents are potentially as high as $1 billion USD. This report is a technical analysis of these attacks conducted by Kaspersky Lab in collaboration with law enforcement agencies (LEAs). **Analysis:**

• **Infection and Transmission:** The malware used, identified as Backdoor.Win32.Carbanak, was transmitted via spear phishing emails containing malicious Microsoft Word documents. These documents contained a VBA macro that automatically executed the Carbanak malware upon opening the document.

• **Malware Analysis – Backdoor.Win32.Carbanak:** The malware is designed to be highly persistent and stealthy, capable of evading detection by security software through its use of encryption and obfuscation techniques. It also includes features for data theft, such as capturing screenshots and keystrokes, which are then sent back to the attackers' command and control (C2) servers.

• **Lateral movement tools:** The malware used employs various methods including Remote Desktop Protocol (RDP), SMB shares, and web injections to move laterally within the network, targeting specific financial data and systems before moving on to other sectors or regions for further theft.

• **Command and Control (C2) Servers:** The attackers maintain multiple C2 servers across different geographic locations to evade detection and command their malware effectively. These servers also host custom encrypted communication channels that require specific decoders to be accessed, adding a layer of complexity in the analysis and mitigation efforts.

**Conclusions:**

• The Carbanak APT group has demonstrated significant capabilities in executing complex cyber attacks against financial institutions worldwide, causing substantial financial losses.

• The use of advanced persistent threats (APTs) techniques, such as evasion methods and targeted spear phishing campaigns, highlights the sophistication of this group's operations.

• Collaboration between private sector cybersecurity firms like Kaspersky Lab and law enforcement agencies is crucial in understanding and disrupting ongoing cyber threats.

**TLP: White** For further information or inquiries regarding this report, please contact intelreports@kaspersky.com. A cybersecurity campaign known as "Carbanak" has been identified as primarily focused on financial gain rather than espionage. Initially, the attackers used spear phishing emails containing Microsoft Word 97-2003 (.doc) and Control Panel Applet (.CPL) files to infect victims' systems. These attachments exploited vulnerabilities in Microsoft Office 2003, 2007, and 2010 (CVE-2012-0158 and CVE-2013-3906), as well as Microsoft Word (CVE-2014-1761). Upon exploiting these vulnerabilities, the malware Carbanak was installed on the compromised systems. Carbanak is a remote backdoor initially based on Carberp and has capabilities for espionage, data exfiltration, and providing remote access to infected machines. Once inside the network, attackers conduct manual reconnaissance before using various lateral movement tools to gain access to critical systems. They install software like Ammyy Remote Administration Tool or compromise SSH servers. The primary targets of Carbanak's operations are money processing services, Automated Teller Machines (ATM), and financial accounts. In some instances, attackers use the SWIFT network for large-scale transactions while others involve manipulating Oracle databases to access payment or debit card accounts within the same bank, or transferring funds between accounts through online banking systems. Additionally, they exploit ATM networks to withdraw cash from certain ATMs. The report outlines a significant cyber-attack campaign that primarily targeted banking entities and exploited the services of certain compromised local users for reconnaissance purposes. Key findings include: 1. **Involvement of Money Mules**: Attackers were ready to collect stolen funds from various locations, indicating a well-planned operation. 2. **Reconnaissance through Video Recordings**: The attackers recorded video footage of bank employees, including system administrators, which was sent to their Command and Control (C2) server for further analysis. 3. **Abuse of Legitimate Services**: Cybercriminals impersonated legitimate local users with necessary permissions to execute malicious actions later on the compromised network. 4. **Impact on Banking Entities**: Over 100 banking institutions were affected, resulting in significant financial losses—some losing millions due to ATM fraud and online banking platform exploitation. 5. **Geographical Distribution of Victims**: The majority of victims are located in Russia, USA, Germany, China, and Ukraine. However, not all these entities are necessarily banks. 6. **Financial Losses**: Examples include a victim losing approximately $7.3 million due to ATM fraud and another suffering a $10 million loss from online banking platform exploitation. 7. **Funds Transferred Abroad**: Stolen funds were transferred out of affected countries primarily to bank accounts in the US and China, with some C2 servers also showing connections to systems located in the US. 8. **Expansion Plans**: The attackers are expanding their operations to other regions such as Asia, the Middle-East, Africa, and Europe based on telemetry analysis. 9. **No Exploitation of Specific Vulnerabilities**: Despite involvement with various services, no specific vulnerabilities were exploited within them during the attack. 10. **Operational Details and Geographical Distribution**: The report provides detailed information about the attack vectors, infection mechanisms, toolkits used, and operational details, along with the geographical distribution of affected entities. The analysis was conducted by Kaspersky Lab in Spring 2014 during which they observed ATM transactions without physical interaction as reported but found no malware on these ATMs. The primary malware involved in this campaign was Carberp. A Carberp-like malware was discovered on a computer connected through a VPN, which led to the identification of similar malware in another investigation involving a bank that had access to its online banking systems. The bank's infrastructure was analyzed to find the source of the infection, and it was discovered that criminals used spear phishing emails with Microsoft Word 97-2003 (.doc) files attached or CPL files for initial infections. These attacks exploited vulnerabilities in Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014-1761), suggesting a possible Chinese origin for the exploits, with Command and Control servers located in China also identified. The attackers used this period of compromised network access to target specific victims and systems, eventually learning how to operate their tools efficiently to extract cash. Carbanak, the malware, has an espionage component that allows it to control video capabilities on victim systems for long-term observation and reconnaissance, enabling them to understand the targets' operational protocols and develop tailored exploitation methods. The text discusses cyber attacks on Russian-speaking financial institutions using sophisticated spear phishing techniques and malware (Backdoor.Win32.Carbanak). These attacks involve sending legitimate-looking emails containing malicious attachments, which when opened execute remote code, install Carbanak onto victims' systems. This is facilitated through compromised employee accounts, appearing as a legitimate institution communication. The email attachments are typically in Russian due to the targeted audience being Russian speakers and use Roshal Archive (.rar) format. The attack also involves drive-by-download attacks using exploit kits such as Null and RedKit, which leave traces on victim machines indicating infection by Carbanak. This malware allows remote access to the compromised system, enabling further malicious activities like data theft or financial loss. The malware Carbanak creates a file with a random name and a .bin extension under %COMMON_APPDATA%\Mozilla to store commands for execution. It also retrieves proxy configuration from the registry entry

and Mozilla Firefox preferences file in %AppData%\Mozilla\Firefox\\prefs.js. To detect Carbanak, look for .bin files in the folder: ..\All users\%AppData%\Mozilla\. Additionally, it can obtain proxy configuration information from headers sent through an application via SOCKS or HTTP. The malware creates a new service with naming syntax "Sys" where ServiceName is any existing service randomly chosen and first character deleted, ensuring autorun privileges. Carbanak checks if avp.exe or avpui.exe processes are running to exploit vulnerabilities in Windows XP, Vista, 7, 8, and Server versions for local privilege escalation. The summary of the provided information is as follows: Carbanak, an advanced persistent threat (APT) targeting financial institutions, utilizes svchost.exe for most of its activities. It downloads a file named kldconfig.plug from its Command and Control (C2) server, which contains names of processes to be monitored. The malware logs keystrokes and takes screenshots every 20 seconds by intercepting the ResumeThread call. To enable RDP connections, Carbanak sets the Termservice service execution mode to Auto and modifies termsrv.dll, csrsrv.dll, msgina.dll, and winlogon.exe in memory for simultaneous work processes. It monitors banking applications like BLIZKO and IFOBS, potentially altering payment documents within the IFOBS system. Carbanak uses HTTP with RC2+Base64 encryption for communication, inserting random strings with various extensions in requests. The malware sends collected monitoring data and receives commands; it matches commands against a hash table to execute specific actions, such as executing stored configuration file commands or downloading and running software like "Ammy Admin." The provided text describes a series of malware hashes and their associated actions, as well as some details about the digital signatures used to make the malware less suspicious. Here's a summarized breakdown of what is mentioned: 1. **Malware Hash Descriptions:**

• **7C6A8A5**: This hash refers to an update related to Malware, which seems to add it to the system's firewall exclusion list.

• **0B22A5A7**: Describes a monitoring configuration update for «klgconfig.plug».

• **0B77F949**: An unknown hash without specific description.

• **7203363**: Known as "killos," it involves several actions:

• It corrupts registry data in the paths , , and .

• Writes zeros into the first 512 bytes of the hard drive «\\.\PHYSICALDRIVE0».

• Then it reboots the system.

• **78B9664**: This hash is for an "OS reboot" command, which presumably forces a system restart.

• **7BC54BC**: Creates a network tunnel to a specified address, routing all traffic there.

• **7B40571**: Uses specified proxy settings.

• **79C9CC2**: Changes the Command and Control (C&C) server.

• **7C9C2**: Can create or delete user accounts depending on the specific command used.

• **78B0**: Modifies certain system DLLs related to Remote Desktop Protocol (RDP), allowing multiple connections and making RDP persistent.

• **79BAC85**: Loads and overwrites a .dll responsible for password policies, redirecting it to the "Notification Packages" registry key.

• **6ABC**: Deletes specified services or files.

• **0A89AF94**: Executes a command based on its hash.

• **79C53BD**: Loads and executes a file from a network location, which does not persist on the hard drive.

• **0F4C3903**: Sends the local user system password to a C2 server.

• **0BC205E4**: Takes screenshots and sends them.

• **7A2BC0**: Turns off malware activity for a specified duration, possibly used to evade detection during specific times.

• **6BC6C**: Unknown function with the hash "dupl."

• **4ACAFC3**: Uploads files or directories to the remote server.

• **7D43**: Establishes a VNC session, potentially for remote control of the system.

• **9C4D055** and **2032914**: Both are marked as "Unknown" with no description provided.

2. **Digital Signatures:**

• To make the malware less suspicious, Carbanak samples have digital signatures:

• **footprintcrsgn.dll** is digitally signed with an MD5 hash of **08F83D98B18D3DFF16C35A20E24ED49A**.

These entries suggest that the malware uses a variety of techniques to manipulate system settings and data, potentially for espionage or other malicious purposes. The digital signatures are included to make the malware less suspicious in its distribution method. The text provides information about the malware Carbanak, a sophisticated cyber-espionage tool used by advanced persistent threat (APT) actors. It mentions details such as digital signatures of its tools and geographical distribution of known samples uploaded to VirusTotal for analysis. Additionally, it discusses the compilation timestamps and submission patterns of Carbanak samples on VirusTotal, highlighting periods when the malware gained attention in the cybersecurity community. The text also notes that Kaspersky Lab has worked with law enforcement agencies (LEAs) during the investigation, using statistical data from their research to build a comprehensive understanding of the campaign. Finally, it mentions an analysis of IP addresses found in Carbanak's Linux servers at the end of October 2014, mapped geographically. The report, titled "graphical distribution of targets according to C2 data," provides insights into the methods used by cybercriminals in their operations. The geographical distribution of victims is highlighted within Figure 10, which shows where these targeted systems are located based on Command and Control (C2) data. The Carbanak group has been utilizing various tools for lateral movement across infected systems, with a preference for the Ammyy Admin remote administration tool due to its whitelisted status in many victim environments. The attackers have been detected uploading Ammyy Admin 3.5 as svchost.exe and also using SSH backdoors for communication with C2 servers located at IP address 190.97.165.126 (operatemesscont.net). This indicates their adaptability in operating across different environments, including non-Microsoft Windows systems. Investigations into these tools have revealed access from two distinct IPs in Ukraine and France. The report also notes the presence of multiple other tools used by the attackers within the victim network for further system control, such as Metasploit, PsExec, and Mimikatz. These findings are part of a broader analysis of C2 servers categorized into four types: Linux servers for command distribution and data collection, Windows servers for remote connections to victim systems, backup servers, and drop servers hosting additional executable files. The C2 server usage exhibits a cycle of rotation occurring approximately every two weeks. The document outlines a regularly updated list of Carbanak servers containing Indicators of Compromise (IOCs). These servers are responsible for distributing malware such as Ammyy, KLG plugin configuration, and VNC server. Some servers also host Metasploit modules. The victim systems are catalogued in the servers' databases, belonging to multiple communities simplifying administration with a total of 85 different victims from seven communities identified. The Carbanak administration panel has been observed running on both Linux and Windows operating systems, supporting features like RDP, VNC, proxy, and tunnels. Furthermore, the malicious servers contain video files that capture user activity for use by attackers to understand victim activities better. These videos are stored in a compressed format but provide sufficient quality for monitoring purposes. The naming conventions of these video files reflect the foreground application being used at the time of recording, aiding navigation and file management during the attack. Based on the intelligence gathered from both video content and other monitoring techniques, attackers develop an operational picture of the victim's workflow, tooling, and practices. This operational detail helps in deploying malicious operations effectively by understanding the workflows and strategies employed by their targets. This summary talks about a big group of smart people who did sneaky things with computers and money. They pretended to be nice and made fake transactions inside someone else's computer system without getting caught. Then they put bad actions into a special place where all the other sneaky actions are stored. They only took small amounts of money each time, so it was hard for big groups that try to catch sneaky people (like police) to figure out what happened. The important numbers and codes from banks were found on computers that controlled Carbanak, which helped understand how they did this trick. This story shows that even with smart hackers, bad things can be caught if we all work together! The Carbanak attacks represent a disturbing trend in cybercrime, characterized by increasing sophistication and effectiveness despite increased awareness within the financial sector. These spear phishing assaults and outdated exploits continue to be effective against larger companies, exploiting minimal effort through bypassing victim defenses. Advanced systems for control and fraud detection have been employed by the industry but primarily focus on fraudulent transactions within customer accounts. The Carbanak attackers circumvented these protections by targeting specific industries' internal procedures and using well-established financial services such as SWIFT network and ATM networks without exploiting vulnerabilities in those services, indicating a deep understanding of these systems. The malware used by Carbanak, upon confirming the presence of banking software on victims' systems, expanded its operations globally to around 300 IP addresses across various countries. These attacks may have been coordinated for maximizing returns before wider industry information sharing and implementation of countermeasures. The attackers aim to expand their operations to other regions including Baltic and Central Europe, the Middle East, Asia, and Africa, potentially responsible for losses as high as $1 billion USD. This document outlines a new era in cybercrime where criminals are using Advanced Persistent Threat (APT) techniques to directly target the financial industry, bypassing their customers. APTs are no longer solely used for stealing information; they are now being employed in attacks against this sector. The text provides details on a specific case involving Carbanak, which is mentioned as working with a Command and Control (C2) protocol decoder written in Perl scripting language. The C2 protocol decoder script begins by setting up necessary modules such as Crypt::CBC for cryptographic operations, MIME::Base64 for base64 decoding, and LWP::Simple for HTTP requests. It then processes a predefined encoded string to remove specific characters and format it correctly for further processing. The script extracts an initialization vector (IV) from the processed string and uses it along with a key to decrypt another base64-encoded string which is part of the Carbanak C2 protocol. The decryption process involves using the RC2 cipher within a Crypt::CBC framework, where the IV is extracted directly from the modified request string. The script then prints out various details about the decoded data including length and decrypted content for debugging purposes. In summary, this document serves as an example of malicious cyber activities conducted by threat actors targeting financial institutions using APT techniques. It also provides a technical insight into how some malware might interact with its Command and Control servers through encoded strings that need to be decrypted in real-time. The provided script is written in Perl and appears to be designed for decrypting files that have been encoded by an adversary using RC2 encryption with a custom key and IV. Here's a summary of its functionality and components: 1. **Initialization**:

• A random IV (`$iv`) is set manually, but ideally should be generated randomly or derived from the input data for better security.

• The script uses the `Crypt::CBC` module for creating a CBC mode cipher object with RC2 encryption. The key used here is hardcoded and of length 16 bytes (standard for RC2).

2. **Encryption Process**:

• Takes an input string (`$reguest`), encrypts it using the initialized CBC cipher, and then encodes the resulting ciphertext using Base64.

• Various character replacements are made on the base64-encoded string to ensure safe URL usage (replacing slashes with dots, plus signs with hyphens).

3. **URL Construction**:

• Constructs a URL where the encrypted data is embedded as part of the filename extension (e.g., `iv + base64_data + '.php'`).

4. **Fetching and Decrypting Data**:

• Fetches the content from the constructed URL using HTTP GET request with `LWP::Simple`.

• If a file path is provided as an argument (`$ARGV<0>`), it reads binary data from this file, extracts IV and encrypted data, then decrypts them back to plaintext using RC2.

5. **Output**:

• Prints the constructed URL for potential use in command-line executions or scripts that need to fetch encoded data.

• If decryption is performed on a local file, it prints the decrypted content directly.

6. **Security and Compliance**:

• The script uses hardcoded keys which can be risky if they are reused or exposed in different contexts. A more secure approach would involve deriving the key securely from a password or other secret value.

• Handling of untrusted input data is limited, as it directly encrypts whatever `$reguest` holds without sanitizing it for potential malicious inputs.

7. **Miscellaneous**:

• The script includes comments and sections that are not part of the main functionality (e.g., handling of newline characters in Base64 encoding).

• It also has a corresponding batch file snippet aimed at detecting files infected by this script on other systems, which could be used for further analysis or response actions.

This script is primarily designed to perform data exfiltration and possibly decryption operations, but it lacks robust security features such as secure key management and input validation that are necessary for safe deployment in a production environment. This document appears to be related to malware analysis, specifically focusing on the Carbanak malware and its command and control (C&C) hosts. It contains a list of IP addresses associated with different dates and comments such as "Victim's logs CnC" or "Linux CnC," indicating that these IPs were involved in communication between the malware and an external server during the infection process. The data is presented with details including the md5 hash of the detection, the type system, comment, and domain name associated with each IP address. The document includes a variety of IP addresses from different dates and contexts, all linked to either Carbanak malware or related activities. These are part of a larger analysis documenting potential Indicators of Compromise (IOCs) used by the malware during its operation. The information is crucial for cybersecurity analysts in tracking down and understanding the origins and behavior patterns of such malware strains. The provided text contains a list of IP addresses and their associated metadata related to the presence of malware known as "Carbanak." This information includes dates, MD5 hashes, operating systems (Windows or Linux), and types of connections (backconnect) observed within victim's logs. Each entry is marked by its relation to the victim's logs for CnC (Command and Control) of other malware, often indicating Carbanak's use after an initial infection. The source of this data appears to be related to Kaspersky Lab reports as indicated by the contact email provided at the end. The document lists various IP addresses and domain names associated with Carbanak, a type of cyberattack involving malicious software that targets financial institutions. These entries include the date they were observed, the system where they were found, and their purpose in relation to the malware. Most instances are related to victims' logs or internet scans, indicating communication points between infected systems and command-and-control (CnC) servers used by Carbanak. The TLP: White indicates that this information is publicly available under a transparency sharing policy, encouraging responsible use and contact for further inquiries should be directed to intelreports@kaspersky.com. The text provided contains information about several IP addresses and domain names associated with the Carbanak malware, which is a type of banking trojan that has been used by cybercriminals to target banks and financial institutions. The data includes details such as the date when the IP or domain was observed, its relation to victim logs (indicating potential communication between infected machines), and the system on which it was detected. Some entries mention specific malware names like "Carbanak's F66992766D8F9204551B3C42336B4F6D" or Carbanak’s, suggesting that these are particular strains or versions of the malware. The text also includes a reference to TLP: White, which typically indicates that the information is publicly available and meant for general use. The final entry mentions "adgua," possibly indicating another related piece of data that has been omitted from this summary. Overall, the passage serves as a record of potential malware activity associated with Carbanak, highlighting where and when it was detected across various systems and networks. The document contains a list of computer network (C&C) servers used by the malware Carbanak in July and December 2014, primarily targeting Linux systems. These C&C servers were found to be associated with various domains and IP addresses that have since been observed for similar activities. Some of these domains include ropax.biz, eelu.biz, glonass-map.com, mind-finder.com, and others. The list also includes details about the type of system (Linux) on which the malware was detected and any related comments or descriptions found in logs associated with Carbanak's operations. This document serves as a reference for understanding the network infrastructure used by Carbanak to manage and control infected systems during its activity period in 2014, indicating potential involvement of criminals in illegal activities. The text you've provided appears to be a technical document or log related to cybersecurity, specifically focusing on the Carbanak cyber-espionage operation. Carbanak is known for being one of the most sophisticated and persistent financial malware families targeting banks and financial institutions globally since at least 2013. Here's a summary of the information contained in your text: 1. **IP Addresses and Domains Associated with Carbanak:** The document lists various IP addresses and domains that were used by Carbanak during specific time frames. These include IP addresses like 131.72.138.18, 91.194.254.94, and 146.185.220.200. The domains range from generic-sounding names to specific ones such as "financialnewsonline.pw" and "worldnewsonline.pw." 2. **Malware Analysis:** The document provides details on the malware samples identified in spear phishing emails sent by Carbanak. These include attachments with various MD5 checksums that can be used for identification, such as "a1979aa159e0c54212122fd8acb24383" and "4afafa81731f8f02ba1b58073b47abdf." The attachments are linked to the Carbanak malware family. 3. **Email Details:** Specifics about the spear phishing emails include details like the names of the attachments, their MD5 checksums for identification, and information on when they were sent. For example, one attachment named "Соответствие ФЗ- 115 от 24.06.2014г.doc" was sent with an executable that matched the Carbanak malware's MD5 checksum. 4. **C2 Servers:** The document mentions Command and Control (C2) servers used by Carbanak, such as "update-java.net," "financialnewsonline.pw," and others. These are IP addresses or domains that were part of the command infrastructure used to control and manage the malware operations. 5. **Security Recommendations:** The document ends with a note from TLP (Traffic Light Protocol), indicating they have no inquiries, suggesting contact at intelreports@kaspersky.com for further information regarding this operation. This technical summary provides valuable insights into how Carbanak operators might use spear phishing tactics to distribute their malware and the tools they rely on to communicate and control the malware in the victim systems. The text provided contains a series of entries related to cyber threats and malware analysis. Here's a summary of the key points from each entry: 1. **File Details:**

• **Name:** Анкета- Заявление.doc, Соответствие ФЗ- 115 от 21.07.2014г.doc, Соответствие ФЗ- 115 от 02.07.2014г..doc, Приглашение.msg, Приглашение.doc

• **MD5 Hashes:** Various MD5 hashes are provided for each file type, indicating the malware strain (Carbanak) associated with them.

• **Compiled Dates:** Specific dates when the files were compiled, such as "Tue Apr 08 05:44:12 2014" and "Fri Aug 08 00:48:07 2014."

2. **C2 Details:**

• **Servers:** Public IP addresses or domains like worldnewsonline.pw, worldnews24.pw, public- dns.us, datsun- auto.com

• **Keys:** Specific keys used for C2 (Command and Control) communication are provided, such as "1234567812345678" and "vfDGbiwmiqdN6E2N."

• **Protocols:** RDP (Remote Desktop Protocol) is mentioned with IP addresses like 185.10.56.59, 37.235.54.48, and others.

3. **HTTP/GET Requests:**

• Specific URLs in the format of paths that end with ".5" or other extensions are mentioned, such as:

``` /cBAWFvkXi94QxShRTaVVn/YzAxD/X0sZEud.5gNItbvozI3tqT5ly9UYLVii13.bml?tlxCFi Busj=2OVj&9GP=a5houGz&K.F=T&l0.7FBN75=nMPDrlGXq4s7cIAQ0Cl662IwVjxvsiTOlG 0d0pd ```

• These requests are made to the domain "datsun-auto.com."

4. **TLP (Traffic Light Protocol):**

• The TLP is mentioned as "White," indicating that this activity can be shared publicly without compromising sensitive information.

5. **Contact Information:**

• For any inquiries, contact intelreports@kaspersky.com with the appended number 35 or 36.

These entries highlight various aspects of cyber threats, including malware analysis, command and control communications, and specific details about file types involved in potential attacks. Carbanak is a cyber-espionage group known for its sophisticated and targeted attacks against financial institutions. The provided samples are part of the malware used by this group, with each hash representing a unique variant or strain of the malware. These hashes can be used to identify and analyze the specific versions of the Carbanak malware that have been deployed in various cyber-attacks targeting banks and other organizations. This text appears to be related to cybersecurity and information security, possibly from a report or analysis by Kaspersky Lab. It contains multiple hexadecimal code sequences that could represent hashes, cryptographic keys, or other unique identifiers used in digital security measures. The "TLP: White" notice at the beginning suggests that this is public information, not for commercial use, and indicates that it's safe to share with general audiences without compromising sensitive data. The text includes several strings of numbers and letters separated by spaces and new lines, possibly representing different types of identifiers or hashes associated with Kaspersky Lab's research and analysis in cybersecurity. The URLs provided at the end ("intelreports@kaspersky.com37" and "intelreports@kaspersky.com38") are for inquiries related to the information contained in these code sequences, which could be technical reports or analysis results from Kaspersky Lab's Securelist division. Additionally, there is a mention of various online resources such as blogs and websites operated by Kaspersky Lab, including their global website, B2C (Business-to-Consumer) blog, and B2B (Business-to-Business) blog, which are presumably platforms for sharing technical research, analysis, and thought leadership in the field of cybersecurity. In summary, this text is part of a larger body of work related to digital security and cyber threats, provided by Kaspersky Lab's Securelist division, intended for public consumption with specific contact details for those interested in learning more or reaching out for further information. Kaspersky Lab is a cybersecurity company offering various services, including security news and research. The provided information outlines the different platforms and resources where users can access Kaspersky Lab's content such as technical research, analysis, and expert insights. Additionally, it provides contact details for inquiries and more information about the company.

• Securelist: A resource for Kaspersky Lab experts' technical research, data breaches, and threat analyses.

• Eugene Kaspersky Blog: Personal blog by the CEO providing his thoughts on cybersecurity matters.

• Daily Kaspersky Lab B2C Blog: Informative blog targeted at consumers.

• Kaspersky Lab B2B Blog: Offers insights for businesses in the digital security space.

• Kaspersky Lab security news service (DBAucaasilidyneemssy) and Kaspersky Lab Academy: Educational resources to enhance cybersecurity awareness and knowledge.

• Contact information is provided for inquiries, including a phone number (+7-495-797-8700) and fax number (+7-495-797-8709), as well as an address in Moscow, Russia.