In an interesting turn of events, a C&C used in the Carbanak targeted attack campaign now resolves to an IP linked to the Russian Federal Security Service (FSB).
Yesterday, while checking the indicator of compromise (IOC) data from the Carbanak report, when I noticed that the domain name systemsvc.net (which was identified as a C&C server in the report) now resolves to the IP address 126.96.36.199. When I checked for related information, I found that the said IP is under ASN AS8342 RTCOMM-AS OJSC RTComm.RU and its identified location is Moscow City – Moscow – Federal Security Service Of Russian Federation.
Figure 1. Information on systemsvc.net
For those who are not familiar, Carbanak is a targeted attack campaign that hit banks and financial organizations earlier this year. Based on reports, it employed methods and techniques such as spear phishing email and exploits, commonly seen in targeted attacks. Accordingly, attackers did intelligence gathering about their target networks in order to infiltrate it.
I checked for other interesting details in the other IOCs but didn’t find anything related to this particular anomaly. I still do not know why it happened; I do not really think that FSB Russia would point the Carbanak-related domain name to an IP address which is affiliated with Russian Federal Security Service. It is also possible that the owner of the domain had done this as a prank.
A reverse lookup on the IP addresses revealed that there are several other domains resolving to it apart from systemsvc.net.
Figure 2. Other domains resolving to the FSB Russia
We will monitor this further and post updates when they’re available.