Carbanak gang
Recent attacks have also affected an unspecified banking chain, indicating that the cybergang may be shifting its focus from targeting hospitality to the finance industry iStock

The infamous Carbanak Gang has resurfaced with renewed vigour. The cybergang, which first made headlines after pulling off a billion dollar cyberheist in 2015, is now going after the global hospitality industry. Security researchers have uncovered a new active and ongoing campaign, which is aimed at harvesting credit card and other personal and sensitive data of customers of the hospitality industry across the globe.

Security firm TrustWave's global director of incident response, Brian Hussey told IBTimes UK that the Carbanak Gang is using a new, customised variant of its original malware to conduct cyberattacks. Although Hussey refrained from mentioning the names of the organisations already affected by the ongoing campaign, he confirmed that the attacks have grown in proportion since they were first detected in October.

Since first launching the attack campaign, the cybergang has escalated its geolocation focus, casting a wider net. Explaining some of the latest developments of the ongoing attacks, Hussey said: "We have seen some new command and control servers and some new malware hashes. However, the most significant change is that this attack is now hitting European, Asian, and Australian targets when it was previously limited to North America."

Upgraded and multifaceted Carbanak malware

TrustWave's investigation into the fresh attacks revealed that the Carbanak Gang's upgraded malware contains highly sophisticated APT-malware like features, which include advanced security-detecting aspects. According to Hussey, the upgraded Carbanak malware is an amalgamation of older versions of the malware previously used by the hacker group.

The malware's codes come with security checks, specifically designed to stop reverse engineering. These features were specifically added to prevent analysis of the malware's infrastructure. The malware was also found to use encryption, in efforts to further protect it from being evaluated by security experts.

The "multifaceted" aspects of the malware make it stand out from other run-of-the-mill POS (point-of-sale) malware. According to Hussey, the network reconnaissance features of the malware are not unlike those seen in cyberespionage attacks. The diversity of the malware points to the possibility of the threat actors using it against other forms of cyberattacks in the future.

Links to organised crime

According to Hussey, the Carbanak Gang is currently one of the most sophisticated and the "best" of its kind. In addition to creating customised cyber tools to launch effective attacks, the hacker group also does extensive background research on its victims. Hussey said the attacks indicate that the group's research into specific targets involve checking LinkedIn and other social media accounts, to bolster their social engineering attack tactics. The cybergang's level of sophistication likely points to links with underground cybercrime syndicates.

"I think this is highly likely," Hussey said, when asked about Carbanak Gang's possible links to organised crime. He added: "Organised crime syndicates have long been controlling major cybercrime rings. When a sub-economy controls billions of dollars, you can guarantee organised crime will play a role."

Recent attacks have also affected an unspecified banking chain, indicating that the cybergang may be shifting its focus from targeting the hospitality industry to the financial. Given that the group's attacks are currently ongoing, it is likely that further attacks on global targets can be expected.