The Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December 2014, followed by the Kaspersky report in February 2015. The two reports describe the same cybercriminal gang which stole up to several hundreds of millions of dollars from various financial institutions.
However, the story is interesting not only because of the large amount of money stolen but also from a technical point of view. The Carbanak team does not just blindly compromise large numbers of computers and try to ‘milk the cow’ as other actors do, instead they act like a mature APT-group. They only compromise specific high-value targets and once inside the company networks, move laterally to hosts that can be monetized.
A few days ago CSIS published details about new Carbanak samples found in the wild.
In this blog we will describe the latest developments in the Carbanak story.
Casino hotel hack
At the end of August, we detected an attempt to compromise the network of a casino hotel in the USA. The infection vector used in this attack may have been a spearphishing e-mail with a malicious attachment using an RTF-exploit or .SCR file. The attackers’ aim was to compromise PoS servers used in payment processing.
The main backdoor used by attackers was the open-source Tiny Meterpreter. In this case, however, the source was modified – the process injection to svchost.exe was added to its functionality.
This Tiny Meterpreter backdoor dropped two different malware families:
•Win32/Spy.Sekur – well known malware used by the Carbanak gang
•Win32/Wemosis – a PoS RAM Scraper backdoor
As mentioned here by our colleagues from TrendMicro, Carbanak malware is capable of targeting Epicor/NSB PoS systems, while Win32/Wemosis is a general-purpose PoS RAM Scraper which targets any PoS that stores card data in the memory. The Wemosis backdoor is written in Delphi and allows the attacker to control an infected computer remotely.
Both executables were digitally signed with the same certificate:
image1
The certificate details:
Company name: Blik
Validity: from 02 October 2014 to 03 October 2015
Thumbprint: 0d0971b6735265b28f39c1f015518768e375e2a3
Serial number: 00d95d2caa093bf43a029f7e2916eae7fb
Subject: CN = Blik
O = Blik
STREET = Berzarina, 7, 1
L = Moscow
S = Moscow
PostalCode = 123298
C = RU
This certificate was also used in the digital signature of a third malware family used by the same gang: Win32/Spy.Agent.ORM.
Win32/Spy.Agent.ORM – overview
Win32/Spy.Agent.ORM (also known as Win32/Toshliph) is a trojan used as one of their first-stage payloads by the Carbanak gang. The binary of the testing version was signed with a Blik certificate: moreover, Spy.Agent.ORM shares some similarities in the code with “the regular” Carbanak malware.
The Win32/Spy.Agent.ORM malware family is already known in the industry because of two blogposts. In July 2015 security company Cyphort reported the compromise of a news portal and a banking site – rbc.ua and unicredit.ua. It turns out that the compromised sites served Win32/Spy.Agent.ORM. After that, Blue Coat reported a spearphishing attempt targeting Central Bank of Armenia employees, the payload being the same.
This malware appeared on our radar at the beginning of summer 2015, and afterwards we started to track it.
We have seen attempts to attack various companies in Russia and Ukraine using spearphishing e-mails that have malicious attachments consisting of .SCR files or .RTF exploits.
Here is an example of a spearphishing email sent to one of the biggest Forex-trading companies:
image2
Roughly translated from Russian to English, it says:
“Due to the high volatility of the ruble exchange rate the Bank of Russia sends rules of trading on the currency market. Password the attached document: cbr”
Here is another example of a spear phishing attempt. Email with this text was sent to the largest electronic payment service in Russia:
Постановлением Роскомнадзора от 04.08.2015г. Вам необходимо заблокировать материалы попадающие под Федеральный закон от 27.07.2006 N 152-ФЗ (ред. от 21.07.2014) “О персональных данных”. Перечень материалов в документе.
Пароль roscomnadzor
Another rough translation from Russian to English:
“According to Roscomnadzor prescript you should block the materials, which you can find in the attachment. Password is roscomnadzor”
We have seen similar .SCR files with following filenames:
•АО «АЛЬФА-БАНК» ДОГОВОР.scr (Alfabank contract)
•Перечень материалов для блокировки от 04.08.2015г.scr (List to block)
•Postanovlene_ob_ustranenii_18.08.2015.pdf %LOTS_OF_SPACES% ..scr
•Правила Банка России от 06.08.2015.pdf %LOTS_OF_SPACES% .scr (Rules of Bank of Russia)
All these attachments contained a password protected archive with .SCR file. The files had Adobe Acrobat reader icon or MS Word icons.
In other cases attackers used RTF files with different exploits, including an exploit for one of the latest Microsoft Office vulnerabilities, CVE-2015-1770, which was patched by Microsoft in June 2015 in MS15-059.
We have seen RTF files with the following names used in attacks:
•prikaz-451.doc
•REMITTANCE ADVICE ON REJECTION.doc
•PROOF OF REMITTANCE ADVICE .doc
•HDHS739_230715_010711_A17C7148_INTERNAL.doc
•Բանկերի և բանկային գործունեության մասին ՀՀ օրենք 27.07.2015.doc (Armenian: The Law on Banks and Banking 27.07.2015)
•PAYMENT DETAILS.doc
•АО «АЛЬФА-БАНК» ДОГОВОР.doc (Russian: Alpha-bank contract)
•AML REPORTS_20082015_APPLICATION FORM-USD-MR VYDIAR.doc
•Anti-Money Laudering & Suspicious cases.doc
•ApplicationXformXUSDXduplicateXpayment.doc
•AML USD & Suspicious cases.doc
•Amendment inquiry ( reference TF1518869100.doc
•Information 2.doc
Here is example of a spearphishing message that was sent to a bank in the United Arab Emirates:
Continued.....
Bookmarks