Attackers Using New Backdoor

Friday, August 4, 2017 @ 04:08 PM gHale


The Carbanak attack has added a new backdoor to its cache of available utilities, researchers said.

This group, along with its usual attack tools, is now using macros and a backdoor called Bateleur, said researchers at Proofpoint.

RELATED STORIES
Malware at Bargain Price of $7
Backdoor Uses Legit Video App
Companies Held for Ransom: Report
Monitoring Network Could Help Find Attack

The new macros and the backdoor use sophisticated anti-analysis and sandbox evasion techniques, the researchers said in a post.
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

The group started using macro documents to drop the previously undocumented JScript backdoor in June. Researchers added they are not sitting on the technology, they keep updating everything.

“The example message uses a very simple lure to target a restaurant chain,” said researchers Matthew Mesa and Darien Huss in their post. “It purports to be information on a previously discussed check. The email is sent from an Outlook.com account, and the attachment document lure also matches that information by claiming “This document is encrypted by Outlook Protect Service”. In other cases, when the message was sent from a Gmail account, the lure document instead claims ‘This document is encrypted by Google Documents Protect Service’”

“The email contains a macro-laden Word document,” Mesa and Huss said. “The macro accesses the malicious payload via a caption: UserForm1.Label1.Caption. The caption contains a “|*|”-delimited obfuscated JScript payload. The macro first extracts the JScript from the caption then saves the content to debug.txt in the current user’s temporary folder (%TMP%).”

Next, they said, the macro executes the following commands, stored in an obfuscated manner by reversing the character order:
1. schtasks /create /f /tn “”GoogleUpdateTaskMachineCorefh5evfbce5bhfd37″” /tr “”wscript.exe //b /e:jscript %TMP%\debug.txt “” /sc ONCE /st “”05:00″” /sd “”12/12/1990″”
2. Sleep for 3 seconds
3. schtasks /Run /I /TN “”GoogleUpdateTaskMachineCorefh5evfbce5bhfd37″”
4. Sleep for 10 seconds
5. schtasks /Delete /F /TN “”GoogleUpdateTaskMachineCorefh5evfbce5bhfd37″”

The malicious Jscript, which is the Bateleur backdoor, has anti-sandbox and anti-analysis functionality.

The malware can also retrieve a PowerShell command containing a payload capable of retrieving user account credentials, meaning it could also potentially target user’s passwords with the help of an additional module, the researchers said.

Proofpoint has observed the malware jump from version 1.0 to 1.0.4.1 over a month and found several commands were added with the update.

Through further research, Proofpoint thinks Bateleur is being used by the FIN7/Carbanak group.

In June, similar messages separately dropped GGLDR and Bateleur to the same target, and the timing and similarity suggest the same group was behind all of them because some messages shared “very similar or identical attachment names, subject lines, and/or sender addresses.”



Leave a Reply

You must be logged in to post a comment.