After passing my GCTI certification, I said I would go and to a case study on a well-known attack. This would put me on the fence of doing the mapping exercise by flying solo. I choose the “Bank of Bangladesh Heist” scenario.
Attack Sector – Financial Services
Attack Type – APT Style
Impact – Financial Loss
Intrusion Summary
Several banks and financial institutions have been attacked by an unknown group of cybercriminals. In all these attacks, a similar modus operandi was used. According to victims and the law enforcement agencies (LEAs) involved in the investigation, this could result in cumulative losses of up to 1 billion USD.
An analysis of the campaign has revealed that the initial infections were achieved using spear phishing emails that appeared to be legitimate banking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files attached. We believe that the attackers also redirected to exploit kits website traffic that related to financial activity. The email attachments exploit vulnerabilities in Microsoft Office 2003, 2007 and 2010 (CVE-2012-0158 and CVE-2013-3906) and Microsoft Word (CVE-2014- 1761). Once the vulnerability is successfully exploited, the shellcode decrypts and executes the backdoor known as Carbanak. Carbanak is a remote backdoor (initially based on Carberp), designed for espionage, data exfiltration and to provide remote access to infected machines. Once access is achieved, attackers perform a manual reconnaissance of the victim’s networks. Based on the results of this operation, the attackers use different lateral movement tools in order to get access to the critical systems in the victim´s infrastructure. They then install additional software such as the Ammyy Remote Administration Tool, or even compromise SSH servers.
Once the attackers successfully compromise the victim´s network, the primary internal destinations are money processing services, Automated Teller Machines (ATM) and financial accounts. In some cases, the attackers used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network to transfer money to their accounts. In others, Oracle databases were manipulated to open payment or debit card accounts at the same bank or to transfer money between 4 TLP: White For any inquiries, please contact intelreports@kaspersky.com accounts using the online banking system. The ATM network was also used to dispense cash from certain ATMs at certain times where money mules were ready to collect it.
As part of the attack´s reconnaissance phase, video recordings of the activities of bank employees, particularly system administrators, were made. The videos were sent to the C2 server. Please note that the attackers abused the aforementioned services by impersonating legitimate local users who had the permissions to perform the actions later reproduced by the cybercriminals. As far as we know, none of the aforementioned services were attacked nor was any specific vulnerability within them exploited.
Stolen funds were transferred out of the affected countries to bank accounts in the US and China. Additionally some of the C2 servers have log entries indicating connections to systems located in the US. Telemetry indicates that the attackers are expanding operations to other regions, such as Asia, the Middle-East, Africa and Europe.
Below is the part where I start mapping the techniques with the relevant Kill Chain phases and then the Course of Action (CoA) mapping. All the mappings would have been easier to read in one table, but formatting here made it a bit difficult to do that. Click the image below for reference on how it should look like, the details I’ve tried formatting in a proper table below.
Kill Chain and TTP Mapping
| KC Phase | TTP |
|---|---|
| Recon / Precursor | • Gathering info from websites, social media about employees and assets |
| Weaponisation | • Malware samples digitally signed (footprintcrsgn.dll, PAExec_Move0.dat, PAExec-6980-PB-FS-01.ex_) by random entities |
| Delivery | • Spearphishing to employees • Compromised employee mailboxes and systems • Drive-by downloads |
| Exploit | • CVE-2012-0158 and CVE-2013-3906 (MS Office) • CVE-2014-1761 (MS Word) • Null (IE & Flash) and RedKit EK (Adobe and Java) • Metasploit • PsExec • Mimikatz |
| Install | • Carberp-like Malware •Copies itself to svchost.exe (under %system32%\com, original file then deleted) • Creates“Sys” – where ServiceName is any existing service randomly chosen with the first character deleted, to have autorun privileges • Creates random name and a .bin extension in %COMMON_APPDATA%\Mozilla where it stores commands to be executed • Sets Termservice service execution mode to Auto (to enable RDP) • Checks for banking application BLIZKO (funds transfer software) • Ammyy Admin 3.5 as “svchost.exe” • PuTTY to connect ot C2 • VNC server (injected in rundll) |
| C2 | • C2 Server IPs (managing some Null and RedKit EK infected bots) • Downloads the file kldconfig.plug ( includes the names of the processes to be monitored) • Sends ack if BLIZKO app installed on victim • Uses the HTTP protocol with RC2+Base64 encryption (adds additional characters not included in Base64 & inserts strings with different extensions .gif,.htm at random locations in the HTTP request • Other C2 servers with associated domains • Secure SSH using PuTTY • Types of C2: Linux (issuing commands and receiving data), Windows (for RDP), Backup , Drop (exe files hosted) servers |
| Actions | Malware: • Gets the proxy configuration from the registry entry: [HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings] • Gets the Mozilla Firefox configuration file in: %AppData%\Mozilla\Firefox\prefs.js • Logs keystrokes and takes screenshots every 20 seconds (via intercepting the ResumeThread call) • Enables RDP • Modifies executable code in memory in order to establish simultaneous work processes for both remote and local users (termsrv.dll, csrsrv.dll, msgina.dll and winlogon.exe) • Sends all collected data to C2 server and can receive various commands (available in report) • Captures screen video of victim operations • Creates fake transactions in the victim’s internal databases • Inserts fraudulent operations in the transaction queue (using victim internal command utilities) • Limits the amount of money to its maximum • Exfiltrates of sensitive bank documents (emails, manuals, crypto keys, passwords etc.) • Remotely withdrawn cash from ATMs (no malware required on the ATM dispenser) |
Course of Action / CoA Mapping
| Discover | Detect | Deny | Disrupt | Degrade | Deceive | Destroy |
|---|---|---|---|---|---|---|
| • Passive scanning to identify external assets and what information is open to the public (e.g. vulnerable servers, email addresses etc.) | • Monitor web server logs and other server logs to identify scanning activities from external IP addresses. (Can use IPS, WAF, Firewall and other security controls to detect unusual activity) | • Implement well-defined rules to shun external IP addresses which are scanning the servers. Close unnecessary open ports. Clean Internet facing assets of confidential information. Run security awareness programme/training with staff to limit what information they post online | • Interrupt scanning activities for a period of time | N/A | • Plan false information (e.g. email addresses) on Internet facing assets. Add canaries and honey pots. | N/A |
| N/A | N/A | N/A | N/A | N/A | N/A | N/A |
| • Log searching for unusual emails containing “.doc” or “.rar” files. Also, searching for other phishing campaigns. • Log searching for web requests to unusual domains or non-business domains (e.g. non-categorised domains). • Log searching for unusual emails sent from internal employees | • Detection strategies to identify phishing campaigns given a set of criteria. • Utilise known bad IOC feeds with hashes, email address to correlate against email logs to identify phishing campaigns. • Use existing security controls to track blocked phishing campaigns – e.g. Email Gateway • Staff training to identify phishing campaigns and report them. | • Block emails which don’t comply with SPF, DMARC and DKIM policies. • Use security controls e.g. Email Gateway to block phishing emails. • Block access to non-categorised websites. • Implement endpoint protection controls. • Staff training to identify phishing campaigns. | • Disable macros in MS docs • Quarantine emails | • Strip email attachments | • Re-route suspicious emails | N/A |
| • Log searching for vulnerable applications, and any activities on the network associated with Null and RedKit EK. • Log searching for activities related to Metasploit, Mimikatz or PsExec (even blocked activity, which suggests attempts) | • Regular vulnerability scans against all assets • Detection strategies to identify use of Metasploit, PsExec or Mimikatz • Use of existing security controls to track malicious activities (e.g. with IPS use of Metasploit exploit module) | • Robust patching policy for vulnerable assets • Disable PsExec • Implement application whitelisting | • Enable DEP, ASLR etc. (have strong Windows Security policies) | N/A | N/A | N/A |
| • Create baseline of known good files and search for rare files, anomalies etc. • Log searching for RDP tools | • Detection strategies for copies of svchost.exe under unusual paths • Detection strategies also for the other behaviours e.g. ServiceName creation, .bin files, Enablement of RDP, VNC server in rundll • Detection strategies for Ammyy Admin, Putty (connections to external IP addresses) | • Limit user privileges | • Application sandboxing | N/A | N/A | N/A |
| • Log searching for beaconing activities to potential C2s • Log searching for long or unusual HTTP requests (e.g. with .gif and .htm extensions) • Log searching for HTTP requests to rare domains • Log searching for SSH sessions • Log searching for connections on unusual ports • Log searching for unusual downloads | • Use existing security controls (e.g. IPS) to track C2 botnet connections (signature and time based bahaviour) • Detection strategies for the use cases in the Discover phase | • Use security controls (e.g. FW block) to block C2 connections | • Sandboxing of downloads from Web (e.g. kldconfig.plug file) • IPS signatures to block C2 connections | N/A | • Redirection to honeypots | N/A |
| • Log searching for for high volumes of outbound network traffic • Log searching for uploads to domains or SSH • Audit transactions on internal databases and any other operations in the transaction queue | • Implement DLP detection capabilities • Detection strategies to catch data exfiltration • Detect back and forth C2 communications • Detect files with certain watermark/control marking being sent externally | • Use security controls (e.g. FW block) to block C2 connections • Block ability to send files externally (e.g. personal email, Cloud etc.) • Block files being uploaded or sent (alert for water marked/classified docs) | • Terminate sessions where certain file types are sent over SSH outbound • Implement segregation of duties, I&AM plan • Implement Password Management and Vaults (+ process) | • Rate limit connection based on length of session | • Redirection to honeypots | N/A |
References
Carbanak APT – The Great Bank Robbery
Lazarus Under the Hood
Carbanak Profile