Pierluigi Paganini May 04, 2017

The notorious cyber crime gang Carbanak is back and it is continuing to refine its techniques and tactics and developed new tools for its attacks.

The cyber crime gang Carbanak continues to refine its techniques and tactics. According to a new analysis conducted by the security firm Trustwave,  the group has refined its intrusion strategy and developed new tools for its arsenal.

The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen at least $300 million from 100 financial institutions.

In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.

In November last year, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January, the Carbanak gang started using Google services for command and control (C&C) communication.

The crooks used the “ggldr” script to send and receive commands to and from Google Apps Script, Google Sheets, and Google Forms services.

Hackers used to create a unique Google Sheets spreadsheet for each infected user, in this way they attempted to avoid detection.

Back to the present, researchers at Trustwave observed the group using new social engineering techniques. The hackers are sending a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call after 30 minutes.

The actors claim that the sender faced problems with the online ordering system, or that the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants.

“This social engineering scam is augmented with a personal phone call from the attacker, encouraging the intended victim to open the email attachment and click inside it. The attacker then calls back 30 minutes later to check if the document was opened and hangs up as soon as the employee says yes.” reads the analysis from Trustwave.

The researchers analyzed one of the infected RTF documents used by the hackers that dropped two VBS and one PS1 file onto the targeted system. The malware gain persistence by using scheduled task to run the main malware file every 25 minutes.

The researchers also observed the C&C malware creator script dropping additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.

The experts discovered that the INI file was used to issue commands to the compromised machine and to reflect the status of previous commands.

“The INI processing script parses and processes the contents of the INI file, providing the following commands:”

• Screenshot (save screenshot as screenshot.png)
• Runvbs
• Runexe
• Runps
• Update
• Delete

Below the information sent by the malware back to the C&C:

• OS Name, Version,   Service Pack,   OS Manufacturer,   Windows Directory,   Locale
• Available Physical Memory, Total Virtual Memory,   Available Virtual Memory
• OS Name, System Name,   System Manufacturer,   System Model,   Time Zone
• Total Physical Memory, Processor System Type,   Processor,   BIOS Version
• Microsoft Office Apps, Computer name,   Domain,   User name

The attackers no longer used user accounts and passwords for lateral movement. Instead, the malware would bypass authentication on the remote system and use SMB commands to locate vulnerable hosts and compromise them.

Unlike previous campaigns, where Carbanak hackers leveraged Mimikatz or some other credential stealer for lateral movement, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host.

“Instead, the malware bypasses authentication on the remote system and uses SMB commands (including TreeConnect and Open/Write AndX) to locate a vulnerable host by checking the ability to write data to the C:\Windows\Temp folder on a potential victim system.” reads the analysis.

Trustwave also reported that the Carbanak malware authors used several techniques to hide the activity of the malicious code.

Below a list of useful suggestions provided by Trustwave experts to organizations that need to protect their systems from Carbanak attacks.

• Regular security awareness training for all employees, paying particular attention to spear phishing.
• Spear phishing exercises where employees are sent a ‘phishing’ email that points to a site controlled by IT (Trustwave SpiderLabs also offers this service).
• An email server or appliance that can assist with malware detection, such as scanning incoming email attachments for base64 strings.
• Macros disabled by default on all Office applications (although a user can still re-enable them).
• A SIEM or other log-and-event aggregation system that allows aggregated network traffic to be examined by an expert security team before, during, and after an attack.
• Ensuring that IDS rules are able to detect metasploit modules.
• Threat intelligence driven software restriction policies, such as preventing program execution from C:\Windows\Temp.
• Whitelist PowerShell scripts and VBS scripts used by the organization and blacklist all others.
• Continuous DNS monitoring with threshold alerts for systems issuing excessive DNS queries in a given period of time.
• Restrict DNS traffic so that internal systems are only able to query your DNS servers.

Pierluigi Paganini

(Security Affairs –  cybercrime, Carbanak cybergang)

[adrotate banner=”5″]

[adrotate banner=”13″]