MyCERT Alert – Carbanak (aka Anunak) Malware
Introduction
MyCERT have received information and made aware of malicious program called Carbanak that target banking and financial sector. Carbanak is a remote backdoor designed for espionage, data exfiltration and to remote control.
Modus Operandi
The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:
- Malicious email attachment contains exploit vulnerabilities in Microsoft Office 2003, 2007, 2010 (CVE-2012-0158, CVE-2013-3906) and Microsoft Word (CVE-2014-1761)
- Install additional remote administrator tools (RAT)
- To control Automated Teller Machines (ATM)
- Control and make video recording of the activities of bank employees
- Oracle databases manipulation to open payment or debit card accounts
- Communicate with C2 server from the following domain:
- worldnewsonline.pw
- lizzlondmrs.com
- file.bouwprofs.com
- file.stellarquest.us
Detection and Removal
- Find Malicious Files location
- Navigate to the folder "C:\Windows\com\".
If you are using 64-bit Windows OS, navigate to the following folder:
"C:\Windows\Syswow64\com\"
Locate the following files:
- svchost.exe (with file attributes Hidden, System and Read-only)
- paexec<anyname>Delete the file when found.
- Find "%COMMON_APPDATA%\Mozilla" folder and Carbanak created a file with random name and .bin extension.
For example: "ashdks.bin"
Delete the file when found.
- Find malicious services as an autorun:
- Service name will have random name selected from existing service name available. Then append with "Sys" at the end of service name becoming "<ServiceName>Sys". For example:
Original Service Spoof Service Name SQLWriter SQLWriterSys Display Name SQL Server VSS Writer QL Server VSS Writer
- Service name will have random name selected from existing service name available. Then append with "Sys" at the end of service name becoming "<ServiceName>Sys". For example:
NOTE: Spoofed version of Display Name service with first character deleted. Delete the service when found.
Preventive Measures
Some of the preventive measures that users can take against the Carbanak malware infection are:
- Always update their computers with latest patches and security fixes.
- Install an Anti-virus software in their computers and keep it up to date with latest signatures.
- Users must not click unsolicited web links and attachments in email messages.
- Users must always keep their browsers updated with latest patches.
- User must keep away from installing counterfeit software as they may bring along with malware.
- Block C2 domain served by malware author.
For further enquiries, please contact MyCERT through the following channels:
E-mail : cyber999@cybersecurity.my
Phone : 1-300-88-2999 (monitored during business hours) Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT Web: http://www.mycert.org.my
Reference:
- https://securelist.com/blog/research/68732/the-great-bank-robbery-the-carbanak-apt/
- https://krebsonsecurity.com/2015/02/the-great-bank-heist-or-death-by-1000-cuts/
