Carbanak certainly has not sat idly by after years of advanced criminal campaigns targeting primarily financial institutions. The outfit, alleged to have stolen from more than 100 banks worldwide, has popped up again with a new means of managing command and control over its malware and implants.
Researchers at Forcepoint said Tuesday that an investigation into an active exploit sent in phishing messages as a RTF attachment led them to discover the group has been using hosted Google services for command and control.
Services such as Google Forms and Google Sheets are being co-opted by the group, allowing Carbanak traffic to essentially hide in plain sight among Google traffic that is unlikely to be blocked by an organization.
Forcepoint said that each time a victim is infected by the group’s malware, a Google Sheets spreadsheet is created along with a unique ID for the victim, which is used to manage interactions with the infected machine. The attacker then manually goes into the spreadsheet, collects any data sent back from the target’s computer and loads the spreadsheet with commands and additional malware that is pulled to the compromised machine.
Forcepoint said it was not aware of how many of these command and control channels were open on Google services, but said it is something that was privately disclosed to Google. A request for comment from Google was not returned in time for publication.
“The Carbanak actors continue to look for stealth techniques to evade detection,” Forcepoint said in its report published yesterday. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.”
Researchers said their investigation was prompted in part by a new campaign disclosed by tr1adx, a scarcely populated website that has published four pieces of “intelligence,” primarily focusing on state-sponsored groups. On Jan. 1, it published a piece on a Carbanak campaign it was calling Digital Plagiarist. The main tactic exposed in the report was the group’s use of tainted Office documents hosted on sites mirroring legitimate sites such as the U.S. Food and Drug Administration, Department of the Treasury, Zyna, Atlantis Bahamas, Waldorf Astoria and many others across sectors such as manufacturing, hospitality, media and health care. The group, which tr1adx calls the TelePort Crew, is likely Carbanak based on domains and malware used in this campaign that are similar to another disclosed by researchers at Trustwave last year.
Forcepoint took a look at a RTF file previously used exclusively by Carbanak that includes crafted VBscript. The document, Forcepoint said, contains an embedded OLE object disguised as an image asking the victim to click on it to view the attachment. The image is hosting the VBscript, and if the victim clicks on the image, a dialogue box appears instructing the users to open the file, which executes the attack.
“We decoded the script and found hallmarks typical of the Carbanak group’s VBScript malware, however we also found the addition of a new ‘ggldr’ script module,” Forcepoint said. “The module is base64 encoded inside the main VBScript file along with various other VBScript modules used by the malware. When we analyzed the script we noticed that it is capable of using Google services as a C&C channel.”
Carbanak’s activities were exposed in 2015 by researchers at Kaspersky Lab who published an extensive report explaining was using advanced malware to attack more than 100 banks, stealing anywhere from $2.5 million to $10 million per bank, putting potential losses at $1 billion.
Carbanak used spear phishing to infiltrate banks, laterally moving across compromised bank networks until they landed on the right system that allowed them to steal money. On some instances, Kaspersky Lab said, Carbanak would record video of system operators, which were used in concert with data obtained by implanted keyloggers to fully understand what the victim was doing on the infected machine.
Kaspersky Lab said Carbanak would cash out in a number of ways:
“ATMs were instructed remotely to dispense cash without any interaction with the ATM itself, with the cash then collected by mules; the SWIFT network was used to transfer money out of the organization and into criminals’ accounts; and databases with account information were altered so that fake accounts could be created with a relatively high balance, with mule services being used to collect the money.”