The notorious Carbanak cybercrime gang that allegedly stole $1 billion from financial institutions worldwide is now changing strategy and target and it is targeting the hospitality and restaurant industries.
“In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. ” reported Trustwave.
According to security experts at Trustwave, the Carbanak gang in the last week started adopting new techniques and malware. The hackers launched a spear-phishing campaign on people in the industry in the attempt to trick victims into reading emails with malicious macro-laced documents.
In the attacks observed by the security firm, the attacker called the customer contact line saying that they are facing problems using their online services and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email, then he hung up when the victims have opened the malicious message.
“The email attachment was a malicious Word Document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware.”reads the analysis of the Carbanak attack. “The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it with the following text.”
The hackers first download a malware used as a reconnaissance tool in a first stage of the attack, it is able to download popular hacking tools, including Nmap, FreeRDP, NCat and NPing.
Later it also downloads additional payloads that allow to carry on the next stage of the attack.
The final target is to steal sensitive information and credit card data scraped from the memory of the infected machines, including point-of-sale systems with a recompiled version of the Carbanak malware that is hard to detect.
“This malware may steal credit card data, as well as screen captures, keylogger information, email addresses from the PST file, enable RDP or VNC sessions, or to obtain additional system information.”
This malware establishes a backdoor on the victim’s machine in order to gain full control on it. It communicates via an encrypted tunnel on port 443 with the following IP addresses:
All exfiltrated information is encrypted with base64+RC2 and sent via HTTP POST messages.
The new campaign started about six weeks ago, Trustwave also published a list of fresh IoCs (indicators of compromise) that could help administrators and security experts to detect the threat.
“the persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave. The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.” reads the conclusion of the Trustwave report.
The fact that a criminal gang like Carbanak is changing tactic targeting the healthcare industry represent a clear indicator of the profitability of the industry for crooks.
It’s not the first time that criminal organizations target the hospitality sector,
In November 2014 Kaspersky spotted the activity of a group of cyber criminals dubbed Darkhotel that was targeting executives traveling across Asia through hotel internet networks.
The DarkHotel campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors aimed to steal sensitive data from the victims while they were in luxury hotels.
The attackers appear high skilled professionals that were exfiltrate data of interest with a surgical precision and deleting any trace of their activity.
Edited by Pierluigi Paganini
(Security Affairs – Healthcare Industry, cybersecurity)