The prolific Carbanak crime group has recently zoned in on the hospitality sector and adopted a new attack methodology, Trustwave security researchers warn.
The security firm analyzed three separate attacks, two targeting hospitality clients and one aimed at a restaurant chain, and found that all three featured the modus operandi of the infamous hacking group. Carbanak, also known as Anunak, managed to steal as much as $1 billion from more than 100 banks across 30 countries, and reemerged this year, targeting banks in the in the Middle East and U.S.
The attackers used social engineering in the new incidents: they would call customer service saying they couldn’t make a reservation and requested to send information via email. The email message contained a malicious Microsoft Word document with an encoded .VBS script to steal system information and screenshots, and download additional malware. The attackers would reportedly stay on the phone until they had confirmation of a successful attack.
The malicious script uses macros to search for running Word instances and replaces their content with attacker-generated text. Next, a compromised system connects to hxxp://184.108.40.206 to download additional malware (AdobeUpdateManagementTool.vbs).
This malicious program creates folders on the compromised systems and adds files to them, adds a persistence mechanism, creates a scheduled task to call the vbs, creates a service to call the vbs, and drops a Shockwave Flash icon and disguises itself as such. The malware was observed contacting a few websites, as well as several command and control (C&C) servers.
Trustwave researchers say that this threat can steal system and network information and can download reconnaissance tools to map out the network. Some of the downloaded utilities include Nmap, FreeRDP, NCat, NPing, and others. It would also grab el32.exe and el64.exe, which are privilege escalation exploits for 32 and 64 bit architectures.
This piece of malware, researchers say, was mainly responsible for the reconnaissance stage of the attack, in addition to downloading malicious apps to set up for the next stage of the attack. It could also execute Powershell scripts on command.
The malware sends beaconing messages via standard HTTP GET requests every 5 minutes, which allows it to hide within standard corporate network traffic. What’s more, the content of the GET request is encoded with Base64 and secondarily encrypted with RC4. The purpose of beaconing is for the attacker to know that the infected system is available for further exploitation.
In the second stage of the attack, the malware identified as bf.exe executes a new iteration of svchost.exe and injects its malicious code into this running process to hide itself. Next, it drops a pseudo-randomly named configuration file into the %ProgramData%Mozilla folder, with a base64 encoded name based on the infected system’s MAC code, and with a .bin extension.
The malware also searches the infected system for Kaspersky antivirus processes and terminates them, after which it registers itself as a randomly-named service with the “C:Documents and SettingsAll UsersApplication DataMozillasvchost.exe” path.
After this step has been completed, the malware downloads well-known Carbanak malware, namely kldconfig.exe, kldconfig.plug, and runmem.wi.exe. The decrypted string references “anunak_config,” which researchers say is the encrypted configuration file downloaded from the C&C server.
The malware can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems, install remote desktop programs such as VNC or AMMYY, and also target credit card data by scraping memory on Point-of-Sale systems. In addition to allowing for the remote command of the infected system, the malware also communicates with two encrypted addresses and exfiltrates data to them via HTTP POST messages, using base64+RC2 encryption.
While following a common series of events (the social engineering lure, establishing remote control of victim system and downloading additional tools, conducting reconnaissance on the network to expand foothold, and exfiltrating payment card information and/or personally identifiable information), the campaign shows an unusual level of persistence, professionalism, and pervasiveness.
“The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient,” Trustwave researchers say.