Months of ramped up Carbanak activity that includes a new host of targets and new command and control strategy has reinvigorated attention on a criminal outfit that may have at one time stolen up to $1 billion from banks worldwide.
Carbanak has moved on from an almost exclusive focus on financial services and has been hitting a number of organizations in the hospitality, restaurant and retail markets, using a bevy of tools that would make a state-sponsored APT group envious.
But perhaps the most ingenious and effective shift is the group’s decision to run command-and-control from a number of Google’s cloud-based services such as Google Forms and Google Sheets. Traffic to and from compromised computers, which includes uploads of stolen payment card and other sensitive information and downloads of new commands and malware, is encrypted and obfuscated. Traffic to these services likely wouldn’t be blocked by an organization because it’s Google, and finding malicious traffic or stolen data presents a serious challenge, even to Google.
Google refused to comment on the scope of the challenge, or whether it has been able to shut down any of the command and control accounts.
“We’re constantly working to protect people from all forms of malware and other types of attacks. We’re aware of this particular issue and taking the appropriate actions,” a Google spokesperson told Threatpost.
Researchers at Trustwave and Forcepoint said they disclosed their findings in recently published research to Google.
In the meantime, Carbanak continues to carry out campaigns in North America and Europe, infiltrating enterprise networks, infecting servers, point-of-sale terminals and client workstations.
“They are very stubborn and very good,” said Trustwave global director of incident response and computer forensics Brian Hussey. “They’ve been doing it for years; it’s their profession. Their malware and capabilities are cutting edge. They don’t make dumb mistakes. They’re stealthy how they infiltrate victims, they’re good at lateral movement and leaving backdoors so that it’s easy to re-engage. It’s their professionalism really.”
Trustwave published a 45-page report on Wednesday about Carbanak activity that echoes some of what Forcepoint published earlier this week, in particular around the use of Google services for command and control. It diagrams some attacks, most of which start with spear phishing emails containing malicious Word documents as attachments. The attachments require users to enable macros in order to view the attached document and execute the attack. Attackers have gone so far as to place a phone call to the target and use social engineering in an attempt to get them to open and execute the malware tied to the attachment.
Once on a machine, the attackers are determined to move laterally until they land on a worthy machine; they do so using pass-the-hash attacks for privilege escalation with the aim of gaining domain or admin level access. They’ve also been able to buy legitimate digital certificates from Comodo that they’ve used to sign malware; the companies and individuals in Russia used to buy the certs are likely phony, Trustwave said.
“The Carbanak campaigns include full-service malware that does everything from escalating privileges to shutting down antivirus,” Hussey said. “They have the ability to target much more than payment card data. They can target R&D, personal information, anything in the environment. We know they are targeting payment data and getting away with a lot. The concern is they can go a lot further with the tools they have available.”
Trustwave says much of this activity is earmarked Carbanak, but the clincher was the use of the Anunak backdoor (signed with the Comodo cert), and VBScript land PowerShell script files capable of receiving commands or exfiltrating data.
Trustwave published hashes associated with the malicious files and IP addresses for the malicious hosts connecting with compromised computers.