The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.
According to security researchers at Trustwave, over the last several weeks Carbanak has been targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target is credit card data scraped from the memory of point-of-sale systems.
“Carbanak used to be known for its billion-dollar bank heists. We have seen a dramatic shift in Carbanak and who it targets and how,” said Brian Hussey, director of global incident readiness and response at Trustwave.
Hussey said that Carbanak (also known as Anunak) is now going after point-of-sale systems with recompiled Carbanak malware that is difficult to detect. He said that hackers are also going to great lengths to target U.S.-based victims. “The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills,” he said. Hackers are going so far as to create websites of bogus companies they pretend to represent, stringing targets along with multiple phone calls and developing personable relationships.
“An attacker called the customer contact line saying that they were unable to use the online reservation system and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email and hung up when his attack was confirmed successful,” according to a Trustwave technical description of the attack.
A screenshot of the malicious Word document is shown above.
Hussey called “the persistence, professionalism and pervasiveness of this campaign” is at a level rarely seen. First discovered by Kaspersky Lab, Carbanak is best known for its 2014 crime spree when it stole as much as $1 billion from more than 100 financial institutions in a string of attacks against banks in the United States, Germany and China.
But, Hussey said, since its heyday a weakened Carbanak has been forced to develop new targets and revamp its malware to avoid detection.
“This is a fresh campaign. They started launching about six weeks ago and they are going at it as hard as they can to hit as many companies as they can while these IoCs (indicators of compromise) are still unknown,” Hussey told Threatpost.
He said within the past several weeks three customers had been hit with a variant of the Carbanak malware. “They are very active. Our contacts at legal firms and law enforcement say they are seeing these types of attacks everywhere.”
As for the technical aspects of the attack, once a victim is tricked into opening a Word document and enables macros, the Carbanak dropper goes to work. According to Trustwave’s examination of the malicious macro sample, it “contains an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware.”
The dropper will then reach out to a C2 in order to retrieve additional malware called AdobeUpdateManagementTool.vbs.
This malware is capable of stealing significant system and network information. It is also used to download additional reconnaissance tools to map out a target’s network and move laterally into the card holder data environment so hackers can then infect systems able to process card transactions, according to Trustwave.
Downloaded tools have included Nmap, FreeRDP, NCat and NPing, Hussey said. Two files of significance, el32.exe and el64.exe, are privilege escalation exploits for 32- and 64-bit architectures.
Hussey said that the Carbanak crew is using recompiled versions of its existing malware arsenal to avoid detection. “They’ve blended a lot of their existing malware to essentially create new variants of their existing malware. They’ve got all new IoCs (indicators of compromise) and all new domains and IP addresses,” he said.
A second-stage of the attack includes more Carbanak malware. One sample “bf.exe” injects itself into the running Service Host (svchost.exe) process where it can “hide.” Other malware downloaded includes kldconfig.exe, kldconfig.plug, and runmem.wi.exe.
“These tools are all well-known Carbanak malware and variations of them were used in the banking intrusions that made them famous in 2015. Additionally, the decrypted string references ‘anunak_config’ which is the encrypted configuration file that it downloads from its control server,” according to Hussey.
Here is where Trustwave researchers say Carbanak and its revamped malware departs significantly from its previous tactics that focused on Internet Front Office Banking Systems (IFOBS). “This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems, or install completely different remote desktop programs,” Hussey wrote.
Trustwave warns that the recent Carbanak campaign is “extremely stealthy” and hard to detect. “Without a general awareness of these new campaigns targets aren’t likely spot the attack until it’s too late,” Hussey said.
