A cyber crime group strengthened its intrusion strategy and expanded its set of tools used in attacks, a new report found.
The Carbanak group ended up discovered in 2015 after stealing $1 billion from over 100 banks across 30 countries. In early 2016, the group, also known as Anunak, continued to target banks, mainly in the Middle East and U.S.
In November last year, Trustwave researchers discovered a campaign targeting organizations in the hospitality sector.
Carbanak’s most recent attacks associated with the group continue to employ a variety of tools, but have switched to new social engineering techniques, researchers said in a post.
The attackers now send a malicious Word or RTF document to employees of organizations in the hospitality sector, and then call to ask whether the document was opened and would follow up with another call 30 minutes later.
The bad guys said the sender had trouble with the online ordering system, or the document referred to a lawsuit caused by a member of the group getting sick after having a meal at one of the targeted organization’s restaurants. The phone calls were meant to ensure the victim opened the malicious document, researchers said.
One of the analyzed infected RTF documents dropped two VBS and one PS1 file onto the targeted system. To achieve persistence, a scheduled task to run the main malware file every 25 minutes was created. The C&C malware creator script dropped additional malware and support files in a different folder, including another PS1 file, four more VBS scripts, and INI and TXT files.
The INI file in this campaign is used to issue commands to the compromised machine and to reflect the status of previous commands. The INI processing script, which parses and processes the INI file, provides commands such as Screenshot (save screenshot as screenshot.png), Runvbs, Runexe, Runps, Update, and Delete.
The INI file also contains information on whether the malware has transmitted the victim’s system information to the attacker. The sent information includes OS name and version, available physical memory, total physical and virtual memory, time zone, computer name, a list of processes, user name, and processor and BIOS information.
There are several steps an organization can take to prevent or limit the severity of a Carbanak attack, Trustwave researchers said. All of the following steps apply and can be achieved via internal security engineering or by engaging an MSSP:
• Regular security awareness training for all employees, paying particular attention to spear phishing.
• Spear phishing exercises where employees are sent a ‘phishing’ email that points to a site controlled by IT.
• An email server or appliance that can assist with malware detection, such as scanning incoming email attachments for base64 strings.
• Macros disabled by default on all Office applications (although a user can still re-enable them).
• A SIEM or other log-and-event aggregation system that allows aggregated network traffic to be examined by an expert security team before, during, and after an attack.
• Ensuring IDS rules are able to detect metasploit modules.
• Threat intelligence driven software restriction policies, such as preventing program execution from C:\Windows\Temp.
• Whitelist PowerShell scripts and VBS scripts used by the organization and blacklist all others.
• Continuous DNS monitoring with threshold alerts for systems issuing excessive DNS queries in a given period of time.
• Restrict DNS traffic so that internal systems are only able to query your DNS servers.