Charles Leaver – Carbanak Case Study 3 And How Ziften Continuous Endpoint Monitoring Would Have Identified The Indicators Of Compromise

By | March 18, 2015

Presented By Charles Leaver And Written By Dr Al Hartmann

Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with comments on their discovery by the Ziften continuous endpoint monitoring service. The Ziften system has a focus on generic indicators of compromise that have been consistent for years of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that indicate C2 infrastructure or specific attack code instances, however these are not utilized long term and not generally made use of once again in fresh attacks. There are billions of these artifacts in the cyber security world with thousands being added every day. Generic IoC’s are embedded for the supported operating systems by the Ziften security analytics, and the specific IoC’s are employed by the Ziften Knowledge Cloud from memberships to a variety of market risk feeds and watch lists that aggregate these. These both have value and will assist in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Remark: Not really a IoC, critical exposed vulnerabilities are a major hacker manipulation and is a big red flag that increases the threat rating (and the SIEM priority) for the end point, particularly if other indications are likewise present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which results in a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have been determined in this campaign.

Remark: The geolocation of endpoint network touches and scoring by location both add to the risk score that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some organizations may have installations situated in China, however this ought to be validated with spatial and temporal checking of abnormalities. IP address and domain details need to be included with a resulting SIEM alarm so that SOC triage can be performed rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is successfully exploited, it installs Carbanak on the victim’s system.

Remark: Any brand-new binaries are always suspicious, but not all of them ought to be alerted. The metadata of images must be analyzed to see if there is a pattern, for example a brand-new app or a brand-new variation of an existing app from an existing supplier on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared along with size, file size and filepath etc to filter out obvious circumstances.

4. Unusual Or Sensitive Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it goes through analysis by inspecting anomalies instantly. A traditional anomaly would be svchost.exe, which is a crucial system process image, in the uncommon location the com subdirectory.

5. New Autostarts Or Services

Excerpt: To guarantee that Carbanak has autorun privileges the malware develops a brand-new service.

Comment: Any autostart or brand-new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If examining the image hash versus industry watchlists results in an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak produces a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it saves commands to be carried out.

Remark: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to check (continuous monitoring environment). And this IoC is completely generic, has definitely nothing to do with which filename or which folder is produced. Although the technical security report lists it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the most recent Carbanak samples are digitally signed

Remark: Any suspect signer will be treated as suspicious. One case was where a signer offers a suspect anonymous gmail e-mail address, which does not inspire confidence, and the risk score will be elevated for this image. In other cases no e-mail address is provided. Signers can be easily listed and a Pareto analysis performed, to determine the more versus less trusted signers. If a less trusted signer is discovered in a more delicate directory then this is very suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a choice for the Ammyy Admin remote administration tool for remote control thought that the attackers used this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being used frequently by administrators.

Comment: Remote admin tools (RAT) constantly raise suspicions, even if they are whitelisted by the company. Checking of anomalies would occur to determine whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s go through abuse. Hackers will constantly prefer to utilize the RAT’s of a company so that they can prevent detection, so they should not be granted access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools show that they were accessed from two dissimilar IPs, most likely utilized by the hackers, and situated in Ukraine and France.

Comment: Always suspect remote logins, because all hackers are presumed to be remote. They are also utilized a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be inspected, and this should expose low prevalence usage (relative to peer systems) plus any suspect locations.

10. Atypical IT Tools

Excerpt: We have also found traces of many different tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools should always be checked for abnormalities, due to the fact that lots of hackers overturn them for malicious functions. It is possible that Metasploit could be used by a penetration tester or vulnerability scientist, but circumstances of this would be rare. This is a prime example where an unusual observation report for the vetting of security staff would lead to corrective action. It likewise highlights the issue where blanket whitelisting does not help in the recognition of suspicious activity.


Leave a Reply

Your email address will not be published. Required fields are marked *