Malware Masquerade: HubSpot, Veeam, Xero – Carbanak Lures Victims with Trust

According to the monthly threat analysis by NCC Group, the banking malware Carbanak, known since 2014, has updated its methods and is now actively used in ransomware attacks. Experts report that in November 2023, the malware resurfaced with new distribution techniques, particularly through compromised websites masquerading as popular business software like HubSpot, Veeam, and Xero.

Carbanak malware, previously utilized for stealing banking data, is now employed by the cybercriminal group FIN7 for remote control of infected systems and data extraction. In the latest chain of attacks documented by the NCC Group, hacked websites are designed to host installers disguised as legitimate utilities, initiating the deployment of Carbanak.

NCC Group’s data indicates that in November, the global level of ransomware attacks increased by 30% – 442 attacks were recorded, a significant rise from 341 incidents in October. A total of 4,276 cases have been documented this year, 1,000 incidents fewer compared to 2021 and 2022 (5,198 cases).

The main targets of these attacks were the industrial sector (33%), consumer goods (18%), and healthcare (11%). Most attacks were concentrated in North America (50%), Europe (30%), and Asia (10%). Among the most common ransomware families were ALPHV and Play, accounting for 47% (or 206 attacks) out of 442.

Following the FBI’s seizure of ALPHV’s infrastructure, its impact on future cyber threats remains uncertain. NCC Group noted that by the end of the year, the total number of attacks exceeded 4,000, significantly more than in 2021 and 2022, and it will be interesting to observe whether the number of ransomware attacks will continue to grow in the coming year.