The prolific Carbanak crime group has refined its intrusion strategy and expanded its arsenal of tools used in attacks, a new Trustwave report reveals.
The Carbanak group, also known as Anunak, was exposed in 2015 after it managed to steal an estimated $1 billion from more than 100 banks across 30 countries. In early 2016, the group continued to target banks, mainly in the Middle East and U.S.
In November last year, Trustwave observed a campaign targeting organizations in the hospitality sector where Carbanak hackers would call customer service saying they couldn’t make a reservation and requested to send information via email.
Earlier this year, the Carbanak malware was seen using Google services for command and control (C&C) communication, and security researchers revealed that the group would deploy a large number of tools as part of their attacks.
The most recent attacks associated with the group continue to employ a variety of tools, but have switched to new social engineering techniques. The attackers now send a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call 30 minutes later.
The actors claim that the sender had trouble with the online ordering system, or that the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants. The phone calls were meant to ensure the victim opened the malicious document, the security researchers say.
One of the analyzed infected RTF documents dropped two VBS and one PS1 file onto the targeted system. To achieve persistence, a scheduled task to run the main malware file every 25 minutes was created. On top of that, the C&C malware creator script was observed dropping additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.
The INI file in this campaign is used to issue commands to the compromised machine and to reflect the status of previous commands. The INI processing script, which parses and processes the INI file, provides commands such as Screenshot (save screenshot as screenshot.png), Runvbs, Runexe, Runps, Update, and Delete.
The INI file also contains information on whether the malware has transmitted the victim’s system information to the attacker. The sent information includes OS name and version, available physical memory, total physical and virtual memory, time zone, computer name, a list of processes, user name, and processor and BIOS information.
The attackers no longer used user accounts and passwords for lateral movement. Instead, the malware would bypass authentication on the remote system and use SMB commands to locate vulnerable hosts and compromise them.
Trustwave also notes that the Carbanak malware writers have used various methods to hide the functionality of their malicious programs: PowerShell script file created from base64 encoded string hidden in malicious Word document; three levels of decoding for the final PowerShell script; a base64 encoded string in this script; alphanumeric shellcode and encoded payload obtained via DNS TXT records; and more.
To stay protected, organization are advised to perform regular security awareness training for all employees and pay particular attention to spear phishing, do spear phishing exercises, use an email server or appliance that can assist with malware detection, disable macros by default on all Office applications, use a SIEM or other log-and-event aggregation system so that aggregated network traffic can be examined, ensure IDS rules are able to detect metasploit modules, blacklist all PowerShell scripts and VBS scripts not used by the organization, perform continuous DNS monitoring, and restrict DNS traffic.