Ties to the Citadel banking trojan network also discovered

Jul 19, 2016 15:40 GMT  ·  By

An investigation into the Carbanak cyber-gang by journalist Brian Krebs and security researcher Ron Guilmette has uncovered evidence that points a big blinking neon lights arrow towards a Russian-based cyber-security firm and its CEO, a 28-year-old Russian named Artem Tveritinov.

Carbanak is the name of a criminal group that used the Carbanak malware to steal around $1 billion from banks around the globe last year, according to a Kaspersky investigation, but has also returned with new attacks during the last few months as well.

Analysis of Whois records yields first clues

Guilmette says he studied the Whois records of the domains used to send the spam that delivered the Carbanak malware, which he found in the reports of various security firms.

He discovered that many of these domains were registered using the [email protected] email address, under the name of Chinese company Xicheng Co., which listed two phone numbers, 1066569215 and 1066549216, with either a Chinese or a US international prefix.

Another security firm, ThreatConnect, continued Guilmette's research and identified at least 484 domains tied to the same email address, or to 26 other email addresses that listed the same phone numbers or the same Chinese company name.

ThreatConnect said that 304 of these 484 domain names had been used to distribute malicious content as part of the Carbanak attacks.

Domains lead to Cubehost, which leads investigators to Infocube

Among the domains that featured the two phone numbers was the domain of Cubehost.biz, a Web hosting company that Krebs says is the sister company of Infocube (or Infokube), a Russian-based cyber-security firm.

During an email and phone exchange with Tveritinov, the CEO of Infocube, the executive denied any ties to Cubehost.biz.

Krebs' investigation did not stop after these conversations, though, and he pointed out on his blog today that both Infocube and Cubehost domains run on the same block of IP addresses, assigned to a person named Ras al Khaimah, who lists [email protected] asan email address for abuse reports.

Citadel and Carbanak attacks might be related

Many of the domain names used in Carbanak operations were hosted on this IP block. Gulimette completed Krebs' discovery by pointing out that this same block also hosted domains employed in the Citadel banking trojan infrastructure.

Curiously, these Citadel domains were also registered under the name of the aforementioned Chinese company, Xicheng Co..

"If Mr. Tveritinov, has either knowledge of, or direct involvement in even a fraction of the criminal goings-on within his address block, then the possibility that he may perhaps also have a role in other and additional criminal enterprises… including perhaps even the Carbanak cyber banking heists… becomes all the more plausible and probable," Guilmette told Krebs.