The Carbanak financial APT group made the headlines when Group-IB and Fox-IT broke the news in December 2014, followed by the Kaspersky report in February 2015. The two reports describe the same cybercriminal gang which stole up to several hundreds of millions of dollars from various financial institutions.
However, the story is interesting not only because of the large amount of money stolen but also from a technical point of view. The Carbanak team does not just blindly compromise large numbers of computers and try to ‘milk the cow’ as other actors do, instead they act like a mature APT-group. They only compromise specific high-value targets and once inside the company networks, move laterally to hosts that can be monetized.
A few days ago CSIS published details about new Carbanak samples found in the wild.
In this blog we will describe the latest developments in the Carbanak story.
Casino hotel hack
At the end of August, we detected an attempt to compromise the network of a casino hotel in the USA. The infection vector used in this attack may have been a spearphishing e-mail with a malicious attachment using an RTF-exploit or .SCR file. The attackers' aim was to compromise PoS servers used in payment processing.
The main backdoor used by attackers was the open-source Tiny Meterpreter. In this case, however, the source was modified – the process injection to svchost.exe was added to its functionality.
This Tiny Meterpreter backdoor dropped two different malware families:
- Win32/Spy.Sekur – well known malware used by the Carbanak gang
- Win32/Wemosis – a PoS RAM Scraper backdoor
As mentioned here by our colleagues from TrendMicro, Carbanak malware is capable of targeting Epicor/NSB PoS systems, while Win32/Wemosis is a general-purpose PoS RAM Scraper which targets any PoS that stores card data in the memory. The Wemosis backdoor is written in Delphi and allows the attacker to control an infected computer remotely.
Both executables were digitally signed with the same certificate:
The certificate details:
Company name: Blik
Validity: from 02 October 2014 to 03 October 2015
Serial number: 00d95d2caa093bf43a029f7e2916eae7fb
Subject: CN = Blik
O = Blik
STREET = Berzarina, 7, 1
L = Moscow
S = Moscow
PostalCode = 123298
C = RU
This certificate was also used in the digital signature of a third malware family used by the same gang: Win32/Spy.Agent.ORM.
Win32/Spy.Agent.ORM - overview
Win32/Spy.Agent.ORM (also known as Win32/Toshliph) is a trojan used as one of their first-stage payloads by the Carbanak gang. The binary of the testing version was signed with a Blik certificate: moreover, Spy.Agent.ORM shares some similarities in the code with “the regular” Carbanak malware.
The Win32/Spy.Agent.ORM malware family is already known in the industry because of two blogposts. In July 2015 security company Cyphort reported the compromise of a news portal and a banking site – rbc.ua and unicredit.ua. It turns out that the compromised sites served Win32/Spy.Agent.ORM. After that, Blue Coat reported a spearphishing attempt targeting Central Bank of Armenia employees, the payload being the same.
This malware appeared on our radar at the beginning of summer 2015, and afterwards we started to track it.
We have seen attempts to attack various companies in Russia and Ukraine using spearphishing e-mails that have malicious attachments consisting of .SCR files or .RTF exploits.
Here is an example of a spearphishing email sent to one of the biggest Forex-trading companies:
Roughly translated from Russian to English, it says:
"Due to the high volatility of the ruble exchange rate the Bank of Russia sends rules of trading on the currency market. Password the attached document: cbr"
Here is another example of a spear phishing attempt. Email with this text was sent to the largest electronic payment service in Russia:
Постановлением Роскомнадзора от 04.08.2015г. Вам необходимо заблокировать материалы попадающие под Федеральный закон от 27.07.2006 N 152-ФЗ (ред. от 21.07.2014) "О персональных данных". Перечень материалов в документе.
Another rough translation from Russian to English:
"According to Roscomnadzor prescript you should block the materials, which you can find in the attachment. Password is roscomnadzor"
We have seen similar .SCR files with following filenames:
- АО «АЛЬФА-БАНК» ДОГОВОР.scr (Alfabank contract)
- Перечень материалов для блокировки от 04.08.2015г.scr (List to block)
- Postanovlene_ob_ustranenii_18.08.2015.pdf %LOTS_OF_SPACES% ..scr
- Правила Банка России от 06.08.2015.pdf %LOTS_OF_SPACES% .scr (Rules of Bank of Russia)
All these attachments contained a password protected archive with .SCR file. The files had Adobe Acrobat reader icon or MS Word icons.
In other cases attackers used RTF files with different exploits, including an exploit for one of the latest Microsoft Office vulnerabilities, CVE-2015-1770, which was patched by Microsoft in June 2015 in MS15-059.
We have seen RTF files with the following names used in attacks:
- REMITTANCE ADVICE ON REJECTION.doc
- PROOF OF REMITTANCE ADVICE .doc
- Բանկերի և բանկային գործունեության մասին ՀՀ օրենք 27.07.2015.doc (Armenian: The Law on Banks and Banking 27.07.2015)
- PAYMENT DETAILS.doc
- АО «АЛЬФА-БАНК» ДОГОВОР.doc (Russian: Alpha-bank contract)
- AML REPORTS_20082015_APPLICATION FORM-USD-MR VYDIAR.doc
- Anti-Money Laudering & Suspicious cases.doc
- AML USD & Suspicious cases.doc
- Amendment inquiry ( reference TF1518869100.doc
- Information 2.doc
Here is example of a spearphishing message that was sent to a bank in the United Arab Emirates:
Here is example of a spearphishing email that was sent to a German bank:
Win32/Spy.Agent.ORM - Technical details
Win32/Spy.Agent.ORM is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID. Based on that information malware operator decides whether the infected computer is useful: that is, whether it's the intended target or just a system that was accidentally infected.
Here is list of commands that it can receive from C&C server:
|0x02||Collects information about computer: Computer Name, User Name, Windows Version, Architecture (32/64 bit) and campaign ID|
|0x03||Collects list of running processes|
|0x04||Downloads binary to %TEMP% and executes|
|0x08||Loads binary in the memory, without dropping to the disk|
The latest sample of this malware family found in the wild is also digitally signed with a different certificate:
The certificate details:
Company name: In travel TOV
Validity: from 21 July 2015 to 21 July 2016
Serial number: 00dfd915e32c5f3181a0cdf0aff50f8052
Subject: CN = In travel TOV
O = In travel TOV
STREET = prospekt Pravdi 33
L = Kiev
S = Kievskaja
PostalCode = 04108
C = UA
Also, the latest sample is able to gain system privileges via an exploit and install itself as a system service. The trojan attempts to exploit a vulnerability – CVE-2015-2426 in the OpenType manager module (ATMFD.dll) – which was patched by Microsoft in MS15-078. The exploit for this vulnerability was leaked in a Hacking Team dump.
The digital certificate for Blik used in this case is not the only link between Win32/Spy.Agent.ORM and Win32/Spy.Sekur (Carbanak malware). They share similarities in code – take a look at the function that generates the BOTID-value, for example:
The BOTID-value is a unique value generated on the basis of the hardware parameters of infected computer, and it’s used by attackers for computer identification. In both cases generation is based on the MAC-address and computer name and the resulting value is formatted using the wsprintf –function.
Our sinkhole of some C&C domains used by the Win32/Wemosis has resulted in hits from bots in the following countries.
As the attacks are highly targeted, the total number of victims is low in absolute numbers. Victims in the USA are situated in several states, including Nevada (Las Vegas), California, and New York, and include casinos and hotels.
Even after it has reportedly stolen hundreds of millions of dollars, the infamous Carbanak APT group isn’t resting on its laurels. On the contrary, it is very active and keeps attacking specific targets related to the finance industry, including banks, Forex-trading companies, and even an American casino hotel. Recently, we have detected malware used by the Carbanak group in the following countries, among others:
- United States of America
- United Arab Emirates
As described in this blog post, the gang doesn’t use just one malware family to carry out its operations but several. While the code in the different families – Carbanak (Win32/Spy.Sekur), Win32/Spy.Agent.ORM, and Win32/Wemosis – is different it does contain similar traits, including the same digital certificate.
Furthermore, the attackers are updating their arsenal with the latest exploits, such as the Microsoft Office remote code execution vulnerability, CVE-2015-1770, or the zero-day exploit leaked in the Hacking Team dumps, CVE-2015-2426.
We continue to monitor the Carbanak threats. For any enquiries or sample submissions related to the subject, contact as at: firstname.lastname@example.org.
Indicators of Compromise (IoC)
Trojan.Win32/Spy.Sekur (Carbanak malware) SHA-1:
Trojan.Win32/Spy.Sekur C2 servers:
Trojan.Win32/Spy.Agent.ORM - C2 Servers:
Tiny meterpreter SHA-1:
Win32/Wemosis (PoS RAM Scraper) SHA-1:
Win32/Wemosis - C2 server: