Posted: 2 Min ReadThreat Intelligence

Carbanak cybercrime gang focuses on banks rather than their customers

Gang has stolen millions from up to 100 banks and other financial institutions in multiple countries.

Symantec has been tracking the activities of the Carbanak cybercrime group for some time and our customers are protected against the malware used by this group. Carbanak, which has been the subject of media reports over the past 24 hours, is an atypical financial crime group, focused on defrauding banks rather than their customers.  

Symantec calls the group Silicon, but other vendors refer to it as Carbanak or Anunak. The main piece of malware that has recently been used by the group is Trojan.Carberp.B, which contains code borrowed from the older Trojan.Carberp. The group is believed to have targeted up to 100 banks and other financial institutions in multiple countries. The exact amount stolen by the Carbanak group is unknown, but estimates range from tens of millions of US dollars up to $1 billion.

Carbanak is a skilled group of attackers, capable of gaining a foothold on the networks of targeted banks through malware hidden in spear-phishing emails. Once inside, the group patiently and stealthily moves across the network of a bank, gathering intelligence and compromising enough computers until it has the resources and intelligence to launch a successful attack.

Carbanak has employed two main tactics to cash out. In some cases, it has transferred funds to accounts controlled by the attackers and operated by money mules. In other instances, it has compromised ATMs, hijacking them in order to dispense funds to people working for the group.

Carbanak is not the first group to target ATMs. For example, research by Symantec found that attackers using Backdoor.Ploutus.B were able to compromise ATMs and empty them of cash by simply sending an SMS to the ATM.

Financial institutions have been fighting malware for more than ten years, and the financial industry was the most attacked sector with 29 percent of all spear-phishing attacks in January 2015. Attackers who are motivated by financial reward quickly adapt to countermeasures, and many security implementations are ineffective at protecting against advanced attacks. It’s imperative that organizations implement layered security measures to protect against today’s advanced threats and educate employees about security policies and best practices.

Symantec and Norton products have the following detections in place against the malware used by the Carbanak group.


  • Trojan.Carberp
  • Trojan.Carberp.B
  • Trojan.Carberp.B!gm
  • Trojan.Carberp.C

Intrusion prevention system

  • Trojan Carberp Activity
  • Trojan Carberp Activity 2
  • Trojan Carberp Activity 3
  • Trojan Carberp Activity 4
  • Trojan.Carberp.C Activity
  • Trojan.Carberp.C Activity 2

Advice for businesses and consumers
Symantec advises users to be careful when dealing with suspicious emails and to avoid clicking on suspicious links or opening suspicious attachments. It’s also important to keep all software, including security software, up-to-date.

About the Author

Threat Hunter Team


The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.