The cyber crime gang Carbanak continues to refine its techniques and tactics. According to a new analysis conducted by the security firm Trustwave, the group has refined its intrusion strategy and developed new tools for its arsenal.
The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen at least $300 million from 100 financial institutions.
In November last year, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.
In January, the Carbanak gang started using Google services for command and control (C&C) communication.
The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.
Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.
Back to the present, researchers at Trustwave observed the group using new social engineering techniques. The hackers are sending a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call after 30 minutes.
The actors claim that the sender faced problems with the online ordering system, or that the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants.
“This social engineering scam is augmented with a personal phone call from the attacker, encouraging the intended victim to open the email attachment and click inside it. The attacker then calls back 30 minutes later to check if the document was opened and hangs up as soon as the employee says yes.” reads the analysis from Trustwave.
The researchers analyzed one of the infected RTF documents used by the hackers that dropped two VBS and one PS1 file onto the targeted system. The malware gain persistence by using scheduled task to run the main malware file every 25 minutes.
The researchers also observed the C&C malware creator script dropping additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.
The experts discovered that the INI file was used to issue commands to the compromised machine and to reflect the status of previous commands.
“The INI processing script parses and processes the contents of the INI file, providing the following commands:”
Below the information sent by the malware back to the C&C:
The attackers no longer used user accounts and passwords for lateral movement. Instead, the malware would bypass authentication on the remote system and use SMB commands to locate vulnerable hosts and compromise them.
Unlike previous campaigns, where Carbanak hackers leveraged Mimikatz or some other credential stealer for lateral movement, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host.
“Instead, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host by checking the ability to write data to the C:\Windows\Temp folder on a potential victim system.” reads the analysis.
Trustwave also reported that the Carbanak malware authors used several techniques to hide the activity of the malicious code.
Below a list of useful suggestions provided by Trustwave experts to organizations that need to protect their systems from Carbanak attacks.
(Security Affairs – cybercrime, Carbanak cybergang)