The notorious Carbanak threat group is on the move again, using a new backdoor to help steal financial info more effectively while remaining hidden from the white hats, according to Proofpoint.
The security vendor explained in a new analysis that the “Bateleur” backdoor contains previously undocumented Jscript code, delivered in a classic phishing email spoofed to come from Outlook or Gmail.
The malicious Word document uses macros to run the backdoor on a victim’s machine “in a roundabout manner” in order to evade detection.
Proofpoint explained further:
“The malicious JScript has robust capabilities that include anti-sandbox functionality, anti-analysis (obfuscation), retrieval of infected system information, listing of running processes, execution of custom commands and PowerShell scripts, loading of EXEs and DLLs, taking screenshots, uninstalling and updating itself, and possibly the ability to exfiltrate passwords, although the latter requires an additional module from the command and control server (C&C).”
The backdoor is already being used to target restaurant chains in the US for financial information, as first described back in June.
However, the bad news for victim organizations is that its developers are enhancing the code all the time, and are expected to include features, such as encoding in the C&C protocol and backup C&C servers, in due course.
Proofpoint has tied the use of Bateleur to the infamous Carbanak/FIN7 group, which it spotted delivering both this and the GGLDR backdoor in similar messages to the same targets, often with the same attachment names and subject lines.
GGLDR is a script module spotted early this year allowing the group to hide its C&C communications in legitimate Google services such as Google Apps Script, Google Sheets and Google Forms.
“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection,” Proofpoint concluded.
“The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines.”
Carbanak has been around for several years, and famously was discovered using advanced APT techniques to steal up to $1 billion from 100 banks worldwide over a two-year period.