A hacking group that goes by the name Carbanak has made it their mission to infiltrate the servers of restaurant chains around the US. If you're unfamiliar with these notorious cyber crooks, it's crucial we introduce them. The malware attack isn't just your everyday wannabe hackers that carry out small-scaled attacks with poorly coded malware. No, no, Carbanak is in the big league. The hacking group was first detected by the Russian cyber security company Kaspersky Lab back in 2014. Carbanak doesn't aim at regular users, but big financial institutions. The usual method of carrying out their attacks is via email phishing scams. It is difficult to estimate exactly what the total sum generated from their illegal activities is, but it's believed to be somewhere between $500 million and $1 billion. With this information shedding some light into the scope of the cybercrime that Carbanak is involved in, let's get into the details of the attack in question.
How Bateleur Infects
The phishing scam we're talking about today was first discovered by experts from Proofpoint. They named the malware after a breed of eagle – Bateleur. Here's how it all starts – the restaurant targeted receives a seemingly harmless email. The email in itself most likely wouldn't cause any suspicion - it's sent from a Gmail or an Outlook address. It claims it's about a check that has supposedly already been discussed. It contains a Word document that is meant to trick the receiver into thinking this is, in fact, the check. Here's where it gets dangerous - the document attached in the fraudulent e-mail message is encrypted, and it also contains an alert which states that the file has been protected by either 'Google Documents Protect Service' or 'Outlook Protect Service' (depending on which provider the attackers used to send the message). However, neither of these 'protection services' exist, and they are nothing more than a simple but cunning trick whose goal is to deceive the victim into thinking that the file they are about to open is legitimate. On the bottom of the document, users will find the logos of some popular antivirus product vendors, which are placed there to further convince the victim into thinking the file is trustworthy. The document would request the victim to enable editing, and in case the user does fall for the trickery of Carbanak, the document proceeds to deploy its malicious payload.
The Offensive and Defensive Capabilities of Bateleur
Once Bateleur has found its way on the victim's system it begins operating. This threat is particularly devious as it has a whole set of anti-detection tools at its disposal. Bateleur is able to recognize whether it's in a sandbox – a controlled environment malware researchers use to study threats and develop tools to battle them. If that is the case, Bateleur would halt its processes and thus prevent the malware experts from picking it apart. Another one of its crafty capabilities is obfuscation. This is the ability of a threat to obfuscate its code and therefore make analyzing it nearly impossible.
Having listed Bateleur's defensive capabilities, it's time we get into the threat's offensive power. The Trojan is able to exfiltrate important information regarding the victim's computer configuration and running processes. In addition to this, it gives remote attackers the ability to execute commands and PowerShell scripts. Furthermore, Bateleur is fully capable of updating its core modules and even uninstalling itself. The Trojan is able to take screenshots of data it deems important and sends it to Carbanak's control servers. Bateleur is also meant to be capable of stealing passwords, but its current version lacks certain modules required to enable this particular function. However, knowing the level at which Carbanak operates, malware experts expect this to be added to Bateleur soon.
Considering all the security measures that Carbanak has taken to make Bateleur as impenetrable as possible, it seems that this Trojan will continue to pose a great threat to businesses and institutions, many of who fail to recognize the importance of keeping their software up-to-date and purchasing a reputable security suite.