GCMAN

GCMAN is a threat actor group that was discovered by Kaspersky Lab, as announced at the Security Analyst Summit (SAS 2016). The group has been involved in Advanced Persistent Threat (APT) style bank robberies, similar to two other groups, Metel and Carbanak. GCMAN uses code compiled on the GCC compiler for its malware, which it uses to infiltrate banking institutions and attempt to transfer money to e-currency services. The group's method of operation involves planting a cron script into a bank server, resulting in a theft rate of $200 per minute. Once inside the network, GCMAN employs legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement within the system. The decompiled code of GCMAN malware is responsible for connecting to the Command and Control (CnC) servers, further facilitating their malicious activities. GCMAN's actions have led to significant security concerns within the banking industry, with their sophisticated methods posing a considerable challenge to cybersecurity measures. In response to these threats, Kaspersky Lab urges all organizations, especially those in the financial sector, to carefully scan their networks for the presence of Carbanak, Metel, and GCMAN. If detected, they should disinfect their systems/computers/networks and report the intrusion to law enforcement. Kaspersky Lab products can successfully detect and block the malware used by these threat actors. The research team from Kaspersky Lab has already responded to three financial institutions in Russia that were infected with the GCMAN malware.