The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.
According to the security researchers at Trustwave spiderlabs, over the last several weeks Carbanak has been targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target is credit card data scraped from the memory of point-of-sale systems.
Carbanak (also known as Anunak) is now going after point-of-sale systems with recompiled Carbanak malware that is difficult to detect.
A screenshot of the malicious Word document is shown above.
According to the Trustwave researcher, this is a fresh campaign which has been started launching about six weeks ago and they are going at it as hard as they can to hit as many companies as they can while these IoCs (indicators of compromise) are still unknown and within the past several weeks three hospitality organization had been hit with a variant of the Carbanak malware.
The attackers used social engineering in the new incidents: they would call customer service saying they couldn’t make a reservation and requested to send information via email. The email message contained a malicious Microsoft Word document with an encoded .VBS script to steal system information and screenshots, and download additional malware. The attackers would reportedly stay on the phone until they had confirmation of a successful attack.
The malicious script uses macros to search for running Word instances and replaces their content with attacker-generated text. Next, a compromised system connects to http://126.96.36.199 to download additional malware (AdobeUpdateManagementTool.vbs).
This malicious program creates folders on the compromised systems and adds files to them, adds a persistence mechanism, creates a scheduled task to call the vbs, creates a service to call the vbs, and drops a Shockwave Flash icon and disguises itself as such. The malware was observed contacting a few websites, as well as several command and control (C&C) servers.
Trustwave researchers say that this threat can steal system and network information and can download reconnaissance tools to map out the network. Some of the downloaded utilities include Nmap, FreeRDP, NCat, NPing, and others. It would also grab el32.exe and el64.exe, which are privilege escalation exploits for 32 and 64-bit architectures.
This piece of malware, researchers say, was mainly responsible for the reconnaissance stage of the attack, in addition to downloading malicious apps to set up for the next stage of the attack. It could also execute Powershell scripts on command.
The malware sends beaconing messages via standard HTTP GET requests every 5 minutes, which allows it to hide within standard corporate network traffic. What’s more, the content of the GET request is encoded with Base64 and secondarily encrypted with RC4. The purpose of beaconing is for the attacker to know that the infected system is available for further exploitation.
In the second stage of the attack, the malware identified as bf.exe executes a new iteration of svchost.exe and injects its malicious code into this running process to hide itself. Next, it drops a pseudo-randomly named configuration file into the %ProgramData%\Mozilla folder, with a base64 encoded name based on the infected system’s MAC code, and with a .bin extension.
The malware also searches the infected system for Kaspersky antivirus processes and terminates them, after which it registers itself as a randomly-named service with the “C:\Documents and Settings\All Users\Application Data\Mozilla\svchost.exe” path.
After this step has been completed, the malware downloads well-known Carbanak malware, namely kldconfig.exe, kldconfig.plug, and runmem.wi.exe. The decrypted string references “anunak_config,” which researchers say is the encrypted configuration file downloaded from the C&C server.
The malware can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems, install remote desktop programs such as VNC or AMMYY, and also target credit card data by scraping memory on Point-of-Sale systems. In addition to allowing for the remote command of the infected system, the malware also communicates with two encrypted addresses and exfiltrates data to them via HTTP POST messages, using base64+RC2 encryption.
While following a common series of events (the social engineering lure, establishing remote control of victim system and downloading additional tools, conducting reconnaissance on the network to expand foothold, and exfiltrating payment card information and/or personally identifiable information), the campaign shows an unusual level of persistence, professionalism, and pervasiveness.
“The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement are rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient,” Trustwave researchers say.
- Social engineering / phishing used to gain initial network foothold
- Cleverly disguised malware establishes remote control of victim system and downloads additional tools
- Attacker conducts reconnaissance to scan network, expand foothold and identify high-value targets
- Payment card information and/or PII (personally identifiable information) is captured and exfiltrated back to the attacker.
Indicator of Compromise
SHA-1 8d7c90a699b4055e9c7db4571588c765c1cf2358 (Version 1)
SHA-1 a91416185d2565ce991fc2c0dd9591c71fd1f627 (Version 2)