The Carbanak group, also known as Anunak, is a financially motivated cybercriminal threat actor known for sophisticated attacks primarily targeting financial institutions. According to open-source intelligence (OSINT) reported by CIRCL in early 2017, Carbanak has employed an unconventional technique for its malware command-and-control (C2) infrastructure by leveraging Google services. This approach involves using legitimate Google platforms to relay commands and control malware, thereby evading traditional detection mechanisms that rely on identifying suspicious or malicious network traffic. By embedding C2 communications within Google services, Carbanak's malware can blend into normal network activity, making it more difficult for defenders to detect and block. This method also benefits from the high availability and global reach of Google's infrastructure, ensuring reliable communication channels for the attackers. Although the severity is reported as low and no known exploits in the wild were documented at the time, the use of trusted cloud services for C2 represents a notable evolution in attacker tactics, complicating threat detection and response efforts.

For European organizations, particularly those in the financial sector, the use of Google services for malware C2 by Carbanak poses a stealthy threat that can lead to prolonged undetected intrusions. The blending of malicious traffic with legitimate Google traffic can reduce the effectiveness of traditional network monitoring and intrusion detection systems, increasing the risk of data exfiltration, financial theft, and disruption of critical services. Given the financial motivation of the group, banks, payment processors, and financial service providers in Europe could face significant monetary losses and reputational damage. Additionally, the use of widely trusted cloud services complicates incident response and forensic investigations, potentially delaying remediation and increasing the window of opportunity for attackers to achieve their objectives.

European organizations should implement advanced network traffic analysis capable of distinguishing anomalous patterns within legitimate cloud service usage, including Google services. Deploying behavioral analytics and machine learning-based detection can help identify unusual command-and-control communications embedded in normal traffic. Organizations should enforce strict egress filtering and monitor DNS queries and HTTP/S traffic for irregularities, even when communicating with trusted domains. Endpoint detection and response (EDR) solutions should be configured to detect suspicious processes and lateral movement indicative of Carbanak-style intrusions. Regular threat intelligence updates and sharing within financial sector Information Sharing and Analysis Centers (ISACs) can improve awareness of evolving tactics. Finally, multi-factor authentication, least privilege access controls, and timely patching of vulnerabilities remain critical to reduce initial infection vectors and limit attacker persistence.