Virus Type: Advanced Persistent Threat, Trojan, Malware, APT, ATM, Banking Trojans, spear-phishing, cybercrime
GCMAN is a group that uses APT techniques and legitimate penetration testing tools to infect computer networks and attempt to steal funds by transferring money from financial institutions to e-currency services. The malware was compiled with the help of the GCC compiler, a rarity among malware writers.
The initial infection mechanism is handled by spear-phishing. A financial institution is targeted with e-mails carrying a malicious RAR archive. When the RAR archive is opened an executable is started instead of a Microsoft Word document, resulting in infection. The group also plants a cron script into the bank's server to generate financial transactions at the rate of $200 per minute.
The victims are limited to financial institutions.
You are in a risk group if your organisation falls into the category above. Make sure you are using advanced anti-malware solutions and taking advice from a reliable security company.
Kaspersky Lab products successfully detect and block the malware used by GCMMAN threat actors with the following detection names:
Backdoor.Win32.GCMan; Backdoor.Win64.GCMan; Trojan-Downloader.Win32.GCMan
The company is has also released crucial Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks.
The only way to discover an attempted break in or a successful penetration of the perimeter is to analyse the behaviour patterns and to try to spot an attack by identifying an attacker in a flow of typical corporate network activity.
To be on the safe side make sure you are using advanced anti-malware solutions such as Kaspersky Endpoint Security for Business. Also pay attention to your cybersecurity awareness to make sure that you can identify phishing emails in your email box.
To raise the level of protection, it is recommended that organisations use System Watcher that includes the BSS (Behavior Stream Signatures) module. This is included in all modern products and solutions.
Of course, just offering a multitude of powerful endpoint security layers is not enough. Spear-phishing, one of the most popular techniques for initial infection, makes reliable mail security a must. Kaspersky Security for Mail Servers scans incoming emails for both malicious attachments and URLs, significantly reducing the chances of malware reaching its victims.
GCMAN: How to Steal $200 per minute - Threat Definition