FSB website also points to the same IP address

May 23, 2015 10:23 GMT  ·  By

The IP address for a command and control (C&C) server employed by Carbanak, an advanced piece of malware used in attacks targeting financial institutions directly, now resolves to a domain that appears to be owned by the Russian Security Service (FSB), researchers found.

In February, security researchers at Kaspersky published a report on the activity of Carbanak, saying that it was used in sophisticated operations against banks across the world, including in countries like Russia, Switzerland, the UK, Norway, France, the US, Germany, China and Ukraine.

Each robbery took at least two months (in some cases, it required even four months) to complete and resulted in losses between $2.5 / €2.3 and $10 / €9 million. It is believed that the group made up to 100 victims, robbing them of about $1 billion / €908 million in total.

Carbanak C&C resolves to FSB IP

Revising Carbanak’s indicators of compromise this week, Trend Micro Senior Threat Researcher Maxim Goncharov found that one domain (systemsvc.net) acting as a C&C server for the malware resolved to an IP address (213.24.76.23) for a machine located in Moscow.

Based on publicly available information for the domain, the server is managed by the Federal Security Service of the Russian Federation (the former KGB).

The institution is charged with responsibilities ranging from counter-intelligence to counter-terrorism, surveillance and internal and border security. Its activity is overseen by the president of the Russian Federation.

It may be a joke or a slip-up

The researcher did a reverse IP look-up and found that four other domains pointed to the same IP address, including FSB.ru, the official website for the Russian Security Service.

“I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service. It is also possible that the owner of the domain had done this as a prank,” Goncharov says in a blog post on Friday.

According to Kaspersky, the Carbanak group is a multinational gang with members from Russia, Ukraine, China and some European countries.

Reverse IP lookup on 213.24.76.23
Reverse IP lookup on 213.24.76.23

Photo Gallery (2 Images)

Whois data for systemsvc.net
Reverse IP lookup on 213.24.76.23
Open gallery