Carbanak Case Study 3 Indicators Of Compromise With Continuous Endpoint Monitoring – Chuck Leaver

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series



Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with talk about their discovery by the Ziften continuous endpoint monitoring system. The Ziften solution has a focus on generic indicators of compromise that have actually been consistent for decades of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Specific indicators of compromise likewise exist that indicate C2 infrastructure or particular attack code instances, but these are not utilized long term and not typically utilized once again in fresh attacks. There are billions of these artifacts in the cyber security world with thousands being included every day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the specific IoC’s are used by the Ziften Knowledge Cloud from memberships to a number of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files manipulate both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not actually a IoC, critical exposed vulnerabilities are a major hacker exploit and is a large warning that increases the risk score (and the SIEM priority) for the end point, particularly if other signs are likewise present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Geographies That Are Suspect

Excerpt: Command and Control (C2) servers located in China have actually been recognized in this campaign.

Remark: The geolocation of endpoint network touches and scoring by geography both contribute to the danger rating that increases the SIEM priority. There are valid reasons for having contact with Chinese servers, and some organizations might have installations located in China, however this need to be confirmed with spatial and temporal checking of anomalies. IP address and domain details need to be included with a resulting SIEM alarm so that SOC triage can be conducted rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it sets up Carbanak on the victim’s system.

Comment: Any new binaries are always suspicious, however not all them should be alerted. The metadata of images must be evaluated to see if there is a pattern, for example a new app or a new variation of an existing app from an existing vendor on a likely file path for that vendor and so on. Hackers will try to spoof apps that are whitelisted, so signing data can be compared in addition to size, size of the file and filepath etc to filter out apparent circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Remark: Any writing into the System32 filepath is suspicious as it is a delicate system directory, so it goes through analysis by examining abnormalities right away. A classic anomaly would be svchost.exe, which is an essential system process image, in the unusual place the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware produces a brand-new service.

Remark: Any autostart or brand-new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If inspecting the image hash against industry watchlists results in an unknown quantity to most of the anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak produces a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it saves commands to be carried out.

Remark: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to inspect (continuous monitoring environment). And this IoC is totally generic, has definitely nothing to do with which filename or which folder is produced. Although the technical security report notes it as a specific IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the latest Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer supplies a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk rating will be elevated for this image. In other cases no email address is provided. Signers can be quickly listed and a Pareto analysis performed, to determine the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive directory then this is extremely suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the hackers utilized this remote administration tool since it is frequently whitelisted in the victims’ environments as a result of being utilized regularly by administrators.

Remark: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the organization. Checking of abnormalities would take place to identify whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s undergo abuse. Hackers will constantly choose to use the RAT’s of a company so that they can prevent detection, so they should not be granted access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from two different IPs, most likely used by the hackers, and situated in Ukraine and France.

Comment: Always suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not want to be identified by the system. Remote addresses and time pattern abnormalities would be inspected, and this should expose low prevalence use (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have likewise found traces of many different tools utilized by the attackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to always be checked for abnormalities, since lots of hackers overturn them for destructive functions. It is possible that Metasploit could be utilized by a penetration tester or vulnerability researcher, but circumstances of this would be rare. This is a prime example where an unusual observation report for the vetting of security staff would result in corrective action. It likewise highlights the problem where blanket whitelisting does not help in the recognition of suspicious activity.


No Responses Yet to “Carbanak Case Study 3 Indicators Of Compromise With Continuous Endpoint Monitoring – Chuck Leaver”

Leave a Reply