Chuck Leaver – Continuous Endpoint Monitoring And The Carbanak Case Study Part 3

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring service. The Ziften service has a concentrates on generic indicators of compromise that have actually been consistent for decades of hacker attacks and cyber security experience. IoC’s can be identified for any operating system such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that show C2 infrastructure or particular attack code instances, however these are not used long term and not generally used again in fresh attacks. There are billions of these artifacts in the security world with thousands being added every day. Generic IoC’s are embedded for the supported os by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a variety of market risk feeds and watch lists that aggregate these. These both have value and will help in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing e-mails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not really a IoC, critical exposed vulnerabilities are a significant hacker exploit and is a large red flag that increases the risk score (and the SIEM priority) for the end point, particularly if other indicators are likewise present. These vulnerabilities are signs of lazy patch management and vulnerability lifecycle management which causes a weakened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have actually been determined in this campaign.

Remark: The geolocation of endpoint network touches and scoring by geography both contribute to the threat score that drives up the SIEM priority. There are authorized reasons for having contact with Chinese servers, and some companies might have sites located in China, however this should be validated with spatial and temporal checking of anomalies. IP address and domain info ought to be added with a resulting SIEM alarm so that SOC triage can be carried out rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is effectively exploited, it sets up Carbanak on the victim’s system.

Remark: Any brand-new binaries are constantly suspicious, however not all of them should be alerted. The metadata of images need to be examined to see if there is a pattern, for example a brand-new app or a brand-new variation of an existing app from an existing vendor on a likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, file size and filepath etc to filter out obvious circumstances.

4. Uncommon Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a sensitive system directory, so it undergoes analysis by checking abnormalities instantly. A traditional anomaly would be svchost.exe, which is a crucial system process image, in the uncommon place the com subdirectory.

5. New Autostarts Or Services

Excerpt: To make sure that Carbanak has autorun privileges the malware develops a new service.

Remark: Any autostart or new service prevails with malware and is constantly examined by the analytics. Anything low prevalence would be suspicious. If examining the image hash versus market watchlists results in an unknown quantity to the majority of antivirus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Folder

Excerpt: Carbanak creates a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be carried out.

Comment: This is a classic example of “one of these things is not like the other” that is simple for the security analytics to inspect (continuous monitoring environment). And this IoC is absolutely generic, has absolutely nothing to do with which filename or which directory is created. Despite the fact that the technical security report notes it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the most recent Carbanak samples are digitally signed

Comment: Any suspect signer will be treated as suspicious. One case was where a signer supplies a suspect anonymous gmail email address, which does not inspire confidence, and the risk score will rise for this image. In other cases no email address is provided. Signers can be quickly noted and a Pareto analysis carried out, to recognize the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive folder then this is really suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control believed that the hackers used this remote administration tool due to the fact that it is frequently whitelisted in the victims’ environments as a result of being used regularly by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the company. Checking of abnormalities would occur to identify whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will constantly prefer to use the RAT’s of a company so that they can avoid detection, so they must not be given access each time just because they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools suggest that they were accessed from two different IPs, most likely used by the hackers, and located in Ukraine and France.

Comment: Constantly suspect remote logins, due to the fact that all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not wish to be identified by the system. Remote addresses and time pattern anomalies would be checked, and this should reveal low prevalence usage (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have actually likewise discovered traces of various tools utilized by the hackers inside the victim ´ s network to gain control of additional systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools ought to constantly be examined for abnormalities, because lots of hackers overturn them for harmful functions. It is possible that Metasploit could be used by a penetration tester or vulnerability scientist, but instances of this would be uncommon. This is a prime example where an uncommon observation report for the vetting of security staff would lead to restorative action. It also highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Leave a Reply

Your email address will not be published. Required fields are marked *