Posted on August 5, 2017 at 5:57 PM
A Carbanak, also known as FIN7, a backdoor malware, was found by Proofpoint researchers who discovered that the malware was attacking U.S. restaurant chains and stealing screenshots and passwords.
The way the malware spreads is by phishing emails, sent from an outlook.com account, that claim to have information on a check that has been previously discussed. In the email, there is an attachment in form of a document that claims to be encrypted by Outlook Protect Service or by Google Documents Protect Service, as stated in a blog post from 31 July.
What the attached document is actually is a macro-laden Word document that extracts a malicious JScript dropper. Malware saves the malicious content in a form of a .txt file, creating a scheduled task that executes the file.
The report states that the JScript has anti-analysis, anti-sandbox functionality, retrieval of infected system information, execution of custom commands and PowerShell scripts, a listing of running processes, loading of EXEs and DLLs, uninstalling and updating itself, taking screenshots, and possibly the ability to exfiltrate passwords.
What’s tricky about Carbanak is the fact that the malware manages to change its tactics and tools in order to be able to infect more targets and avoid being detected, researchers say.
Bateleur JScript backdoor gives the attackers new ways of infection, by hiding their activity and also strengthening abilities for stealing information and executing commands directly onto their victim’s machines.
The malware dubbed Bateleur isn’t the most technically advanced of its kind, but due to its smallness and robustness, it makes a handy tool that is capable of flying under the radar. That means that initially, it might go unnoticed by signature-based anti-malware solutions
Cylance Senior Threat Researcher Marta Janus told us that while Bateleur may not seem like the most technically advanced malware, its small size and robustness make it a handy tool that can “fly under the radar”, and might initially go unnoticed by signature-based antimalware solutions.
Janus also said that this could be a mirror effect of the new malicious software development, because the first stage back door, the one responsible for the C&C communication is lightweight and small in contrast to most of the others functionalities for data stealing which are implemented as separate second-stage modules.
With this, the attackers only have to maintain a small piece of code running on the machine, serving as leader of additional in-memory payloads, which could be pushed and removed by the attackers at will.
Janus continued by saying that even though the back door grants restricted functionality, it can be used to upload and execute additional modules and run shell commands on the machine of the victim.
In Janus’ opinion, Carbanak is currently one of the most sophisticated cybercrime groups because it merges complex techniques with the effectiveness of wide-spread malware.