The Carbanak gang, one of the more successful and prolific cybercrime groups at work today, is using a new tactic to get its malware onto target networks: calls to customer service representatives at hotels that convince victims to open malicious attachments.
The technique is a simple one but has proven to be quite effective. Rather than spamming out huge volumes of email with rigged attachments, the attackers are calling selected hotels and telling the customer service reps that they’re having trouble using the online reservation system. They then ask if they can email over a document with their travel details. The attacker will stay on the phone with the victim until he opens the attachment, which is a Word document loaded with a malicious VBS script, according to researchers at Trustwave, who have investigated several incidents involving this technique recently.
This attack represents an interesting mixture of social engineering tactics and traditional spear-phishing methods. Even highly targeted phishing campaigns typically involve several different waves of emails. But this technique allows the attacker to choose his target individually and receive immediate confirmation that the attack succeeded. The malware that’s involved in the attack is powerful and has a long list of capabilities. Once installed, it connects to a remote server and downloads a second stage tool that’s disguised as an Adobe file. It installs a persistence mechanism and might download even more tools.
“The attacker uses social engineering to gain their foothold in the victim network.”
“This malware was capable of stealing significant system and network information. It was also used to download several other reconnaissance tools to map out the network. Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others. Two files of significance, el32.exe and el64.exe, are privilege escalation exploits for 32 and 64-bit architectures,” the analysis of the attack by Trustwave’s Brian Hussey says.
Carbanak malware has been used in very large scale attacks on banks around the world, with losses climbing over $1 billion. There are a number of different versions of the malware in circulation, and Hussey said that the group using the new phone technique is deploying a few distinct versions. Once the malware is dug into a new system, it will download a second stage and then go about the business of looking for data to steal.
“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY,” Hussey said.
“Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems. This leaves little doubt as to its end goal on victim systems. The attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the cardholder data environment, and then infects systems able to process card transactions.”
The stolen data is encrypted and sent out to C2 servers controlled by the attackers. Hussey said Trustwave has seen this tactic used at two hotels and one restaurant in the last month alone.