{ "Event": { "analysis": "2", "date": "2016-11-16", "extends_uuid": "", "info": "OSINT - New Carbanak / Anunak Attack Methodology", "publish_timestamp": "1479287507", "published": true, "threat_level_id": "2", "timestamp": "1479287478", "uuid": "582c134f-c358-455c-935e-4598950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#6edb00", "name": "circl:topic=\"finance\"" }, { "colour": "#00afd6", "name": "veris:action:social:target=\"Finance\"" }, { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#12e400", "name": "misp-galaxy:threat-actor=\"Anunak\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479284009", "to_ids": false, "type": "link", "uuid": "582c1529-6e5c-4306-b983-4713950d210f", "value": "https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Carbanak-/-Anunak-Attack-Methodology/" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1479284026", "to_ids": false, "type": "comment", "uuid": "582c153a-eff4-460a-a3da-4d39950d210f", "value": "In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. Carbanak is a prolific crime group, well known for stealing over one billion dollars from banks in 2015 (*Kaspersky estimated loss) and more recently orchestrating an attack on the Oracle Micros POS support site that put over one million Point of Sale systems at risk. The current investigations are still underway but the known indicators of compromise in these new attacks will be presented below. At the time of investigation this malware was not correctly detected by any existing antivirus engines, and domains / IP's were not found in any commercial threat intelligence feeds.\r\n\r\nIt is also interesting to note that just during the time that it took to write this blog, Carbanak returned to their victims with significantly upgraded malware. This demonstrates the speed and versatility of this threat group. We have included analysis for two separate versions of AdobeUpdateManagementTool.vbs in this report. (The malware used following the initial infection) Version two arrived only two weeks after we began investigating this new campaign." }, { "category": "Payload delivery", "comment": "adobeupdatemanagementtool.vbs version 1", "deleted": false, "disable_correlation": false, "timestamp": "1479284067", "to_ids": true, "type": "sha1", "uuid": "582c1563-9db8-4af1-a2ec-40a9950d210f", "value": "8d7c90a699b4055e9c7db4571588c765c1cf2358" }, { "category": "Payload delivery", "comment": "adobeupdatemanagementtool.vbs version 2", "deleted": false, "disable_correlation": false, "timestamp": "1479284067", "to_ids": true, "type": "sha1", "uuid": "582c1563-f06c-4244-8e19-4ab8950d210f", "value": "a91416185d2565ce991fc2c0dd9591c71fd1f627" }, { "category": "Network activity", "comment": "The malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284109", "to_ids": true, "type": "url", "uuid": "582c158d-bcc0-4c2d-b25b-4769950d210f", "value": "http://revital-travel.com/cssSiteteTemplates" }, { "category": "Network activity", "comment": "The malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284109", "to_ids": true, "type": "url", "uuid": "582c158d-6ae0-42c3-9011-45e6950d210f", "value": "http://juste-travel.com/cssSiteteTemplates" }, { "category": "Network activity", "comment": "The malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284110", "to_ids": true, "type": "url", "uuid": "582c158e-88e8-4c6f-a769-4c69950d210f", "value": "http://park-travels.com" }, { "category": "Network activity", "comment": "malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284132", "to_ids": true, "type": "ip-dst", "uuid": "582c15a4-c3e0-47d9-8f43-40a6950d210f", "value": "192.99.14.211" }, { "category": "Network activity", "comment": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "deleted": false, "disable_correlation": false, "timestamp": "1479284176", "to_ids": true, "type": "ip-dst", "uuid": "582c15d0-28c8-486c-baaa-49dd950d210f", "value": "148.251.18.75" }, { "category": "Network activity", "comment": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "deleted": false, "disable_correlation": false, "timestamp": "1479284176", "to_ids": true, "type": "ip-dst", "uuid": "582c15d0-e134-4463-8db6-4f1e950d210f", "value": "95.215.46.221" }, { "category": "Network activity", "comment": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "deleted": false, "disable_correlation": false, "timestamp": "1479284177", "to_ids": true, "type": "ip-dst", "uuid": "582c15d1-a4ec-4994-9a07-4acc950d210f", "value": "95.215.46.229" }, { "category": "Network activity", "comment": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "deleted": false, "disable_correlation": false, "timestamp": "1479284177", "to_ids": true, "type": "ip-dst", "uuid": "582c15d1-5f90-45a9-a73e-41b1950d210f", "value": "95.215.46.234" }, { "category": "Network activity", "comment": "The malware may report to the following command and Control Servers, depending on the version used in the attack", "deleted": false, "disable_correlation": false, "timestamp": "1479284178", "to_ids": true, "type": "ip-dst", "uuid": "582c15d2-081c-4dbc-bda4-44aa950d210f", "value": "81.17.28.124" }, { "category": "Network activity", "comment": "The malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284234", "to_ids": true, "type": "ip-dst", "uuid": "582c160a-3bcc-4fc8-bf8a-458e950d210f", "value": "95.215.46.249" }, { "category": "Network activity", "comment": "The malware contacts the following and may attempt to download doc", "deleted": false, "disable_correlation": false, "timestamp": "1479284234", "to_ids": true, "type": "ip-dst", "uuid": "582c160a-5114-4d1a-a92b-47e1950d210f", "value": "179.43.133.34" }, { "category": "Payload delivery", "comment": "el32.exe", "deleted": false, "disable_correlation": false, "timestamp": "1479284291", "to_ids": true, "type": "sha1", "uuid": "582c1643-a4e8-4892-afe1-42ae950d210f", "value": "83d0964f06e5f53d882f759e4933a6511730e07b" }, { "category": "Payload delivery", "comment": "el64.exe", "deleted": false, "disable_correlation": false, "timestamp": "1479284292", "to_ids": true, "type": "sha1", "uuid": "582c1644-01f8-44d2-a18d-42a6950d210f", "value": "cf5b30e6ada0d6ee7449d6bde9986a35df6f2986" }, { "category": "Payload delivery", "comment": "bf.exe - Second Stage \u00e2\u20ac\u201c Carbanak / Anunak Malware", "deleted": false, "disable_correlation": false, "timestamp": "1479284333", "to_ids": true, "type": "sha1", "uuid": "582c166d-7980-406f-b221-49e5950d210f", "value": "3d00602c98776e2ea5d64a78fc622c4ff08708e3" }, { "category": "Network activity", "comment": "This malware provides the attacker remote command and control of the victim system via a multifunctional backdoor capability. It communicates via an encrypted tunnel on port 443 with the following IP addresses", "deleted": false, "disable_correlation": false, "timestamp": "1479284362", "to_ids": true, "type": "ip-dst", "uuid": "582c168a-f448-4d62-9e2c-4a31950d210f", "value": "5.45.179.173" }, { "category": "Network activity", "comment": "This malware provides the attacker remote command and control of the victim system via a multifunctional backdoor capability. It communicates via an encrypted tunnel on port 443 with the following IP addresses", "deleted": false, "disable_correlation": false, "timestamp": "1479284362", "to_ids": true, "type": "ip-dst", "uuid": "582c168a-4264-473f-be7b-4bc7950d210f", "value": "92.215.45.94" }, { "category": "Payload delivery", "comment": "el64.exe - Xchecked via VT: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986", "deleted": false, "disable_correlation": false, "timestamp": "1479287478", "to_ids": true, "type": "sha256", "uuid": "582c22b6-69e8-42b7-a9f9-478302de0b81", "value": "6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e" }, { "category": "Payload delivery", "comment": "el64.exe - Xchecked via VT: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986", "deleted": false, "disable_correlation": false, "timestamp": "1479287479", "to_ids": true, "type": "md5", "uuid": "582c22b7-3270-4537-bbcb-4a4902de0b81", "value": "13a5fab598763ae4141955f2903d66f9" }, { "category": "External analysis", "comment": "el64.exe - Xchecked via VT: cf5b30e6ada0d6ee7449d6bde9986a35df6f2986", "deleted": false, "disable_correlation": false, "timestamp": "1479287479", "to_ids": false, "type": "link", "uuid": "582c22b7-cd5c-4dbb-a339-426f02de0b81", "value": "https://www.virustotal.com/file/6224efee6665118fe4b5bfbc0c4b1dbe611a43a4b385f61ae33b0a0af230da4e/analysis/1476970935/" }, { "category": "Payload delivery", "comment": "el32.exe - Xchecked via VT: 83d0964f06e5f53d882f759e4933a6511730e07b", "deleted": false, "disable_correlation": false, "timestamp": "1479287480", "to_ids": true, "type": "sha256", "uuid": "582c22b8-b78c-4669-95fb-42eb02de0b81", "value": "91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0" }, { "category": "Payload delivery", "comment": "el32.exe - Xchecked via VT: 83d0964f06e5f53d882f759e4933a6511730e07b", "deleted": false, "disable_correlation": false, "timestamp": "1479287480", "to_ids": true, "type": "md5", "uuid": "582c22b8-d530-4bca-a546-4ef102de0b81", "value": "36f36696b948b550ad4afe4b0bc53fbd" }, { "category": "External analysis", "comment": "el32.exe - Xchecked via VT: 83d0964f06e5f53d882f759e4933a6511730e07b", "deleted": false, "disable_correlation": false, "timestamp": "1479287481", "to_ids": false, "type": "link", "uuid": "582c22b9-eec8-4e95-b73a-49dd02de0b81", "value": "https://www.virustotal.com/file/91ff7b9c4cdcaa61b01f0783dacdbbed3f848fb01013c635bc9d87a85183ebc0/analysis/1477538068/" }, { "category": "Payload delivery", "comment": "adobeupdatemanagementtool.vbs version 1 - Xchecked via VT: 8d7c90a699b4055e9c7db4571588c765c1cf2358", "deleted": false, "disable_correlation": false, "timestamp": "1479287481", "to_ids": true, "type": "sha256", "uuid": "582c22b9-3a70-475c-923d-473302de0b81", "value": "90ac49c60b5e0f76e87bd6f0062ea64b875bb571e226133bb681392b2151fb24" }, { "category": "Payload delivery", "comment": "adobeupdatemanagementtool.vbs version 1 - Xchecked via VT: 8d7c90a699b4055e9c7db4571588c765c1cf2358", "deleted": false, "disable_correlation": false, "timestamp": "1479287482", "to_ids": true, "type": "md5", "uuid": "582c22ba-b2b8-42cc-bfc1-4e9102de0b81", "value": "7a5fa7a9e9319e0871d2098a02f0bcfa" }, { "category": "External analysis", "comment": "adobeupdatemanagementtool.vbs version 1 - Xchecked via VT: 8d7c90a699b4055e9c7db4571588c765c1cf2358", "deleted": false, "disable_correlation": false, "timestamp": "1479287482", "to_ids": false, "type": "link", "uuid": "582c22ba-d550-49c3-8674-4c7002de0b81", "value": "https://www.virustotal.com/file/90ac49c60b5e0f76e87bd6f0062ea64b875bb571e226133bb681392b2151fb24/analysis/1479214205/" } ] } }