Chuck Leaver – Carbanak Three Indicators Of Compromise And Ziften Continuous Endpoint Monitoring

Presented By Chuck Leaver And Written By Dr Al Hartmann


Part 3 in a 3 part series


Below are excerpts of Indicators of Compromise (IoC) from the technical reports on the Anunak/Carbanak APT attacks, with discussions their discovery by the Ziften continuous endpoint monitoring solution. The Ziften solution has a focus on generic indicators of compromise that have been consistent for years of hacker attacks and cyber security experience. IoC’s can be determined for any os such as Linux, OS X and Windows. Particular indicators of compromise likewise exist that indicate C2 infrastructure or specific attack code instances, but these are not utilized long term and not normally utilized again in fresh attacks. There are billions of these artifacts in the security world with thousands being included each day. Generic IoC’s are embedded for the supported operating systems by the Ziften security analytics, and the particular IoC’s are used by the Ziften Knowledge Cloud from subscriptions to a number of market threat feeds and watch lists that aggregate these. These both have value and will assist in the triangulation of attack activity.

1. Exposed vulnerabilities

Excerpt: All observed cases used spear phishing emails with Microsoft Word 97– 2003 (. doc) files attached or CPL files. The doc files manipulate both Microsoft Office (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).

Comment: Not really a IoC, critical exposed vulnerabilities are a major hacker exploit and is a large red flag that increases the risk score (and the SIEM priority) for the end point, especially if other signs are likewise present. These vulnerabilities are indicators of lazy patch management and vulnerability lifecycle management which leads to a lessened cyber defense position.

2. Locations That Are Suspect

Excerpt: Command and Control (C2) servers located in China have been recognized in this project.

Remark: The geolocation of endpoint network touches and scoring by geography both contribute to the danger score that drives up the SIEM priority. There are valid situations for having contact with Chinese servers, and some companies may have installations located in China, however this ought to be confirmed with spatial and temporal checking of abnormalities. IP address and domain details must be added with a resulting SIEM alarm so that SOC triage can be conducted rapidly.

3. Binaries That Are New

Excerpt: Once the remote code execution vulnerability is successfully manipulated, it installs Carbanak on the victim’s system.

Remark: Any brand-new binaries are always suspicious, but not all them should raise alarms. The metadata of images ought to be evaluated to see if there is a pattern, for example a brand-new app or a brand-new variation of an existing app from an existing supplier on a most likely file path for that vendor etc. Hackers will attempt to spoof apps that are whitelisted, so signing data can be compared in addition to size, file size and filepath etc to filter out apparent circumstances.

4. Unusual Or Delicate Filepaths

Excerpt: Carbanak copies itself into “% system32% com” with the name “svchost.exe” with the file attributes: system, concealed and read-only.

Comment: Any writing into the System32 filepath is suspicious as it is a delicate system folder, so it undergoes analysis by checking anomalies immediately. A classic anomaly would be svchost.exe, which is a vital system procedure image, in the unusual place the com subdirectory.

5. New Autostarts Or Services

Excerpt: To ensure that Carbanak has autorun privileges the malware produces a new service.

Comment: Any autostart or brand-new service is common with malware and is constantly checked with the analytics. Anything low prevalence would be suspicious. If examining the image hash against industry watchlists leads to an unknown quantity to the majority of anti-virus engines this will raise suspicions.

6. Low Prevalence File In High Prevalence Directory

Excerpt: Carbanak develops a file with a random name and a.bin extension in %COMMON_APPDATA% Mozilla where it stores commands to be performed.

Remark: This is a traditional example of “one of these things is not like the other” that is easy for the security analytics to check (continuous monitoring environment). And this IoC is completely generic, has absolutely nothing to do with which filename or which directory is produced. Although the technical security report notes it as a particular IoC, it is trivially genericized beyond Carabanak to future attacks.

7. Suspect Signer

Excerpt: In order to render the malware less suspicious, the current Carbanak samples are digitally signed

Comment: Any suspect signer will raise suspicion. One case was where a signer provides a suspect anonymous gmail email address, which does not inspire confidence, and the risk rating will rise for this image. In other cases no email address is offered. Signers can be quickly noted and a Pareto analysis carried out, to determine the more versus less trusted signers. If a less trusted signer is discovered in a more sensitive folder then this is really suspicious.

8. Remote Administration Tools

Excerpt: There appears to be a preference for the Ammyy Admin remote administration tool for remote control thought that the attackers used this remote administration tool due to the fact that it is typically whitelisted in the victims’ environments as a result of being utilized regularly by administrators.

Comment: Remote admin tools (RAT) always raise suspicions, even if they are whitelisted by the organization. Checking of anomalies would take place to identify whether temporally or spatially each brand-new remote admin tool is consistent. RAT’s are subject to abuse. Hackers will always choose to utilize the RAT’s of an organization so that they can avoid detection, so they ought to not be granted access each time even if they are whitelisted.

9. Patterns Of Remote Login

Excerpt: Logs for these tools show that they were accessed from two dissimilar IPs, most likely utilized by the attackers, and situated in Ukraine and France.

Remark: Constantly suspect remote logins, since all hackers are presumed to be remote. They are also used a lot with insider attacks, as the insider does not want to be recognized by the system. Remote addresses and time pattern abnormalities would be inspected, and this ought to reveal low prevalence usage (relative to peer systems) plus any suspect geography.

10. Atypical IT Tools

Excerpt: We have likewise found traces of many different tools used by the attackers inside the victim ´ s network to gain control of extra systems, such as Metasploit, PsExec or Mimikatz.

Comment: Being sensitive apps, IT tools must constantly be checked for anomalies, since lots of hackers overturn them for harmful purposes. It is possible that Metasploit could be utilized by a penetration tester or vulnerability researcher, however instances of this would be uncommon. This is a prime example where an unusual observation report for the vetting of security staff would result in restorative action. It likewise highlights the problem where blanket whitelisting does not help in the identification of suspicious activity.


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>