The Ziften Continuous Endpoint Monitoring Advantage Carbanak Case Study Part 3 – Charles Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring solution. The Ziften system has a concentrates on generic indicators of compromise that have been consistent for years of hacker attacks and cyber security experience. IoC’s can be recognized for any os such as Linux, OS X and Windows. Specific indicators of compromise also exist that suggest C2 infrastructure or particular attack code instances, however these are not utilized long term and not normally made use of once again in fresh attacks. There are billions of these artifacts in the security world with thousands being included every day. Generic IoC’s are ingrained for the supported operating systems by the Ziften security analytics, and the specific IoC’s are employed by the Ziften Knowledge Cloud from subscriptions to a number of industry threat feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Remark: Not actually a IoC, critical exposed vulnerabilities are a major hacker exploit and is a large warning that increases the threat rating (and the SIEM priority) for the end point, particularly if other indications are also present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers situated in China have been determined in this project.

Comment: The geolocation of endpoint network touches and scoring by location both add to the risk score that drives up the SIEM priority. There are valid reasons for having contact with Chinese servers, and some organizations might have installations situated in China, but this should be validated with spatial and temporal checking of abnormalities. IP address and domain information must be added with a resulting SIEM alarm so that SOC triage can be conducted rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it installs Carbanak on the victim’s system.

Comment: Any brand-new binaries are always suspicious, but not all them must raise alarms. The metadata of images should be evaluated to see if there is a pattern, for example a new app or a brand-new variation of an existing app from an existing supplier on a most likely file path for that supplier etc. Hackers will try to spoof apps that are whitelisted, so signing data can be compared as well as size, size of the file and filepath etc to filter out apparent instances.

4. Uncommon Or Sensitive Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system folder, so it is subject to examination by checking anomalies immediately. A classic abnormality would be svchost.exe, which is a vital system procedure image, in the unusual location the com subdirectory.

5. New Autostarts Or Services

Excerpt: To ensure that Carbanak has autorun privileges the malware produces a new service.

Remark: Any autostart or new service is common with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If inspecting the image hash against industry watchlists results in an unknown quantity to the majority of anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak develops a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be executed.

Remark: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to examine (continuous monitoring environment). And this IoC is absolutely generic, has definitely nothing to do with which filename or which directory is created. Despite the fact that the technical security report notes it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer provides a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk score will rise for this image. In other cases no e-mail address is supplied. Signers can be easily noted and a Pareto analysis performed, to determine the more versus less trusted signers. If a less trusted signer is found in a more sensitive directory then this is very suspicious.

8. Remote Administration Tools

Excerpt: There seems a preference for the Ammyy Admin remote administration tool for remote control thought that the hackers utilized this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being utilized regularly by administrators.

Comment: Remote admin tools (RAT) constantly raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would happen to identify whether temporally or spatially each new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will always prefer to utilize the RAT’s of an organization so that they can avoid detection, so they need to not be given access each time even if they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from 2 dissimilar IPs, most likely utilized by the attackers, and located in Ukraine and France.

Remark: Always suspect remote logins, because all hackers are presumed to be remote. They are likewise used a lot with insider attacks, as the insider does not want to be recognized by the system. Remote addresses and time pattern anomalies would be examined, and this ought to expose low prevalence usage (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have actually also discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of extra systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to always be examined for abnormalities, due to the fact that numerous hackers overturn them for harmful purposes. It is possible that Metasploit could be utilized by a penetration tester or vulnerability researcher, but instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would result in restorative action. It likewise highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Leave a Reply

Your email address will not be published. Required fields are marked *