Published on September 5, 2017
By Oleg Kolesnikov, Securonix Threat Research Team
In August 2017, we learned of new attacks by a persistent malicious cyber threat actor known by the name of Carbanak aka FIN7 . The most recent attack variants have been targeting mainly chain restaurants, hospitality, and casino industry in the US for financial information/POS/credit card data.
Securonix Threat Research Team has been actively investigating and closely monitoring attacks associated with this high-profile continuously evolving malicious cyber threat actor to help our customers prevent, detect, and mitigate/respond to the attack.
Based on the practical security analysis of this attack we performed in our lab, here is a summary of what we currently know and our recommendations on some possible mitigations and Securonix predictive indicators/security analytics that can be used to detect the current and potential future attack variants by this malicious cyber threat actor.
Figure 1: Carbanak/FIN7 Attack - Initial Infiltration - Malicious Word File
Here is a summary of some of the key technical details about this high-profile attack.
- Capabilities: The attacks by this malicious cyber threat actor leverage a number of different attack variants/payloads/tools e.g. DNS tunneling/staging/C2, ggldr scripts receiving commands from Google Sheets, Google Apps Script, and Google Forms, commodity backdoors--bateleur JS dropped from macros etc. .
Some of the capabilities leveraged by this malicious cyber threat actor include custom command and powershell/stager execution, POS monitoring, keylogging, HTTP form grabbing, file transfers, proxying, VMM/sandbox detection, desktop video capture etc. This malicious cyber threat actor has been active for more than a year and has been constantly evolving its capabilities over time;
- Observed Artifact Hash Values: There is a large number of attack/artifact variants associated with Carbanak/FIN7 malicious cyber threat actor attacks and new variants appear regularly. Some of the recent artifact values include:
and a number of others.
Figure 2: Carbanak/FIN7 Attack - Execution
Behaviors – Carbanak/FIN7 Host Activity
Some of the commands ran by this malicious cyber threat actor on the target include:
The commands can be used in the Securonix Rule-based policies leveraging EDR log sources/data sources (see below).
Detection - Sample Spotter Search Queries
Please find below sample Spotter search queries to assist with detection of the existing infections:
- Network Traffic (Proxy/Firewall outbound)
(rg_category = "Proxy" OR rg_category = "Firewall" or rg_category = “DNS” ) AND (ipaddress = 188.8.131.52 or ipaddress = 184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress=126.96.36.199 or ipaddress=188.8.131.52 or ipaddress=184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress=126.96.36.199 or ipaddress=188.8.131.52 or ipaddress=184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress=126.96.36.199 or ipaddress=188.8.131.52 or ipaddress=184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress=126.96.36.199 or ipaddress=188.8.131.52 or ipaddress=184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress = 126.96.36.199 or ipaddress=188.8.131.52 or ipaddress=184.108.40.206 or ipaddress=220.127.116.11 or ipaddress=18.104.22.168 or ipaddress=22.214.171.124 or ipaddress=126.96.36.199)
#2 - (rg_category = "Proxy" OR rg_category = "Firewall" or rg_category = “DNS” ) AND (destinationhostname contains “true-deals.com” or destinationhostname contains “strikes-withlucky.com” or destinationhostname contains “rescsovwe.com” or destinationhostname contains “proslr3.com”)
#3 - rg_category = “DNS” and destinationhostname contains “aaa.stage.”
Detection – Securonix Behavior Analytics/Security Analytics
Here is a high-level summary of some of the relevant Securonix predictive indicators to increase the chances of early detection of this and potentially other future variants of attacks carried out by this malicious cyber threat actor on your network:
Figure 3: Carbanak/FIN7 Attack Process Activity
#1 - Suspicious Process/Service Activity Anomalies
- Suspicious Process Activity Rare Process/MD5 For User/Host Anomaly
- This should help detect unusual Winword, wscript, and sdbinst activity mentioned above (see Figure 3);
- Suspicious Process Activity Unusual Parent-Child Relationship For User/Host Anomaly
Figure 4: Carbanak/FIN7 More Attack Staging/Process Activity
- Suspicious Process Activity Command Line Arguments Anomaly
- Suspicious Registry Activity Autorun Changes Anomaly
- Suspicious Registry Activity Shim Database Changes Anomaly
- Note that this may require adding entries to the sysmon configuration to ensure the following registry keys are monitored:
- “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom”
- “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”
Figure 5: Carbanak/FIN7 Attack JS Stager
- Suspicious Process Activity Dynamic Script File Create Anomaly
- Suspicious Process Activity Unusual Network Connection Anomaly
- Suspicious Process Activity Unusual Scheduled Task Anomaly
#2 – Suspicious Network Activity Anomalies
- Suspicious Network Activity DNS IN TXT Query Volume Anomaly (Peak);
- Suspicious Network Activity DNS IN A Query Volume Anomaly (Peak);
- Suspicious Network Activity DNS Query Content Beacon Anomaly (Targeted);
- Unusual contents of dns.qry.name & dns.a (Targeted);
- Suspicious Proxy Activity Non-SSL/TLS App On SSL/TLS Port Discrepancy Anomaly
Figure 6: Carbanak/FIN7 Attack Scheduled Task Execution
If you have any further questions regarding this high-profile threat and how Securonix can be leveraged to detect the behaviors associated with the threat, please contact the Securonix Threat Research Team at [email protected].
References James T. Bennett, Barry Vengerik. Behind the CARBANAK Backdoor. FireEye Threat Research Blog. 12 June 2017.  Matthew McWhirt, Jon Erickson, DJ Palombo . To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence. FireEye Threat Research Blog. 3 May 2017.  Matthew Mesa, Darien Huss. FIN7/Carbanak threat actor unleashes Bateleur JScript backdoor. Proofpoint Threat Research Blog. 31 July 2017.