lolloj - Fotolia

Carbanak shows how attackers hijack legitimate tools

Criminal gang’s abuse of Google services highlights the trend of attackers using legitimate tools to launch and manage attacks

The Carbanak cyber crime group has demonstrated how cyber attackers are turning to legitimate tools to carry out and hide their activities in plain sight.

Researchers have discovered that the group, which is believed to have been operational since 2013 and is linked to the theft of up to $1bn from financial institutions worldwide which was exposed in 2015, is using Google services to issue its command and control (C&C) communication to evade detection.

“The Carbanak actors continue to look for stealth techniques to evade detection,” wrote Nicholas Griffin, a senior security researcher at Forcepoint, in a blog post. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.”

This practice is yet another illustration of how cyber attackers are hijacking legitimate tools. The trend was first identified when researchers found attackers were using Microsoft’s Windows PowerShell configuration management framework to launch attacks.

In March 2016, Security experts warned that PowerShell had been fully weaponised in the previous year, and in April security firm Carbon Black and its partners confirmed PowerShell had been used to launch 38% of the cyber attacks they had seen in 2015.

Attacks using PowerShell are very effective in remaining undetected, with 31% of Carbon Black partners reporting that PowerShell-related incidents had triggered no security alerts, indicating that attackers are successfully using PowerShell to enter and remain undetected in a company’s system.

Forcepoint said it had notified Google about Carbanak’s abuse of its services and was working with Google to share further information with trusted partners.

The Forcepoint researchers uncovered the practice by analysing a “trojanised” document linked to Carbanak that contained an encoded Visual Basic Script (VBScript) that had the ability to use Google services for C&C communication.

According to Griffin, the script is designed to send and receive commands to and from Google Apps Script, Google Sheets and Google Forms services.

“For each infected user, a unique Google Sheets spreadsheet is dynamically created in order to manage each victim,” she wrote. “The use of a legitimate third-party service like this one gives the attacker the ability to hide in plain sight.”

Read more about cyber attack tools

Griffin said these hosted Google services were unlikely to have been blocked by default in an organisation, making it more likely for an attacker to establish a C&C channel successfully.

But she said Forcepoint customers were protected from this threat through the Triton Ace security intelligence tool, which prevented the malware from executing or blocking C&C traffic.

In November 2016, security firm Trustwave described Carbanak as one of the most sophisticated cyber criminal groups and published a report detailing the attack methods used in a campaign directed mainly at the hospital and restaurant industries.

According to the report, the attacks typically start with a social engineering attack to gain initial network foothold, followed by cleverly disguised malware to establish remote control of the victim’s system and download additional tools.

The Carbanak group then conducts reconnaissance to scan the network, expand its foothold and identify high-value targets. Next, payment card information and/or personally identifiable information is captured and exfiltated back to the attacker.

Trustwave said the persistence, professionalism and pervasiveness of the campaign was at a level that researchers had rarely seen.  

“The malware used is very multifaceted and still not caught by most (if any) antivirus engines,” the report said. “The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”

Identify malicious traffic

Balazs Scheidler, CTO and co-founder of security firm Balabit, said Forcepoint’s discovery was important because a lot of anti-malware software used IP address reputation and threat intelligence to identify malicious traffic.

“Because this control technique uses the very same services as legitimate Google services, it would be difficult to include it in a blacklist,” he said.

Scheidler said that because phishing and malware installation was an uphill battle that enterprises were constantly fighting, organisations should concentrate on preventing and containing breaches, especially on detecting when breached internal computers and user accounts were being used to identify and exfiltrate their most important assets.

“We probably don’t store the most sensitive data assets in workstations, so a breach only becomes really interesting once the breached workstation and user credentials are leveraged to go after an enterprise’s most valuable data and secrets, which is where privileged user behaviour analytics comes into play to pinpoint the anomalous behaviours of hijacked accounts,” he said.

Christopher Kruegel, co-founder and CEO of security firm Lastline, said that because the latest Carabanak malware samples were “environmentally aware” with stealthy and evasive behaviours, they required a “stealth sandbox to detect them automatically with an analysis environment that appears to be a victim’s system”.

“Only then will banks and other organisations be protected against these evolving threats,” he said. .......................................................................

Read more on Hackers and cybercrime prevention