Здравствуйтэ, carbanak! · ©2018 fireeye behind the blog: hunting for more carbanak §...
TRANSCRIPT
![Page 1: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/1.jpg)
OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.
Здравствуйтэ, Carbanak!A look inside the Carbanak source code
![Page 2: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/2.jpg)
©2018 FireEye
Agenda
§ Background
§ Source
§ Revisiting our Binary Analysis
§ Blind Spots
§ Wait, more binaries?
§ Video Artifacts
![Page 3: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/3.jpg)
©2018 FireEye
Michael Bailey (@mykill)
3
Analyzed Carbanak source code – okay, and a few binaries
§ Husband, Daddy, Bon Vivant§ Remote from Huntsville, AL– Staff Reverse Engineer– Writing debuggers– FakeNet-NG
§ Previously– Mandiant Red Team– Linux & Windows kernel @ Pikewerks– Windows server admin– B.S. C.E. @ MSOE
§ For fun– Spinning DNB Music– Banjo??!
![Page 4: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/4.jpg)
©2018 FireEye
James “Tom” Bennett (@jtbennettjr)FireEye’s original Carbanak analysis – binaries only!
§ Based in SoCal– Staff Reverse Engineer on the FLARE team– Long time focus on improving malware
detection technologies– More recent focus in aiding investigations
and intel with malware analysis§ Previously– Trend Micro
§ For Fun– Video games– Hiking
![Page 5: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/5.jpg)
©2018 FireEye
FLARE
Mandiant Services
Managed Defense
iSIGHT Intel
Learning & Development
Products & Detections
Marketing & Sales
What Is FLARE?
![Page 6: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/6.jpg)
©2018 FireEye
What Reverse Engineers Do
.C File (Source Code)
Compiler Assembler Linker
.ASM File (Intermediate Code) .OBJ Binary .EXE Binary
.EXE Binary Assembly Listing Decompilation
Disassembler Decompiler
Assemble and Compile
Disassemble and Decompile
we make sense of these
![Page 7: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/7.jpg)
©2018 FireEye
§ Carbanak (aka Anunak)
– Sophisticated and versatile backdoor
– Dating back to early 2014
– Used by select criminal groups, including “Carbanak group”
– We do not attribute all Carbanak backdoor activity to a single group
– Client requested a full analysis report summer of 2016
– Tom spends his summer reverse engineering Carbanak
Background
![Page 8: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/8.jpg)
©2018 FireEye
§ FIN7 – prolific Russian financial criminals
– Professionals
– Dating back to 2015
– Carbanak users
– Targets payment card data, but flexible
– We’ve had our eye on them for some time à
– Aug 1st, 2018:
§ FBI took custody of three members
§ FIN7 operated a “security” company
Background
![Page 9: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/9.jpg)
©2018 FireEye
“Absurd”
©2018 FireEye
![Page 10: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/10.jpg)
©2018 FireEye
§ 4.6MB RAR / 20MB unpacked
§ 755 files according to dir /a-d /b /s | wc -l
§ 100,000 lines of code
§ 39 binary files
– 14 plugins and standalone agents
§ Mostly without source code
– Private key material
– .sln files
– “other”
Statistics
![Page 11: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/11.jpg)
The Source Code
![Page 12: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/12.jpg)
©2018 FireEye
Perfectly Readable! (if you know Russian)
![Page 13: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/13.jpg)
©2018 FireEye
![Page 14: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/14.jpg)
©2018 FireEye
§ vocab.py:
– Walk source files finding chars outside [32, 126]
– Sort words by frequency of occurrence (3,400+!)
– Google Translate (500+), Internet Russian lessons
– Learned to read/type so I could search my list
Fast-Tracking Russian Language Learning
![Page 15: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/15.jpg)
©2018 FireEye
Russian Phonetic English Occurrences Rank (rough)Файл f ah y L file 224 5
сервер s e r v e r server 145 13
адрес a d r e s address 52 134
команд k o m a n d command 110+ 27
бота b o t a bot 130 32
плагин p l ah g ee n plugin 116 39
сервис s e r v ee s service 70 46
процесс p r o ts e s s process 130ish 63
Russian for Malware Analysts
![Page 16: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/16.jpg)
©2018 FireEye
![Page 17: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/17.jpg)
So, source code analysis is a cakewalk, right?
![Page 18: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/18.jpg)
©2018 FireEye
Diabolical Circus of Named Pipes
![Page 19: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/19.jpg)
©2018 FireEye
Named Pipes
§ My analysis (too big for slide) à
§ Let’s whiz through ~20 out of ~25 functions
§ Handling the “secure” command
§ Installs malicious notification pkg
– For persistence§ WARNING: This gets ugly.
§ NOTE: Tom will visit violence upon me if I utter any function names :-P
![Page 20: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/20.jpg)
©2018 FireEye
![Page 21: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/21.jpg)
©2018 FireEye
![Page 22: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/22.jpg)
©2018 FireEye
![Page 23: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/23.jpg)
©2018 FireEye
![Page 24: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/24.jpg)
©2018 FireEye
![Page 25: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/25.jpg)
©2018 FireEye
![Page 26: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/26.jpg)
©2018 FireEye
![Page 27: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/27.jpg)
©2018 FireEye
![Page 28: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/28.jpg)
©2018 FireEye
![Page 29: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/29.jpg)
©2018 FireEye
![Page 30: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/30.jpg)
©2018 FireEye
![Page 31: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/31.jpg)
©2018 FireEye
![Page 32: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/32.jpg)
©2018 FireEye
![Page 33: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/33.jpg)
©2018 FireEye
![Page 34: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/34.jpg)
©2018 FireEye
![Page 35: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/35.jpg)
©2018 FireEye
![Page 36: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/36.jpg)
©2018 FireEye
![Page 37: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/37.jpg)
©2018 FireEye
![Page 38: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/38.jpg)
©2018 FireEye
![Page 39: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/39.jpg)
©2018 FireEye
Named Pipes
§ Control flow is
– Divergent
§ C2 protocols
§ Subtly different pipe message types
– Ambiguous
– TBH, confusing
![Page 40: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/40.jpg)
©2018 FireEye
![Page 41: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/41.jpg)
Malware Mechanisms in Source
![Page 42: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/42.jpg)
©2018 FireEye
§ Loop
– Get process name
– Name -> hash
– Compare against all
– Return some numbers
![Page 43: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/43.jpg)
©2018 FireEye
§ Beautiful context
Ah, source code
![Page 44: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/44.jpg)
©2018 FireEye
§ AVG evasion was commented out in AV.cpp
AV Evasion: AVG
![Page 45: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/45.jpg)
©2018 FireEye
§ AVG evasion was commented out in AV.cpp
– Un-commented below for syntax highlighting
– Ryan Warns tested; FLARE disclosed late 2017
AV Evasion: AVG
![Page 46: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/46.jpg)
©2018 FireEye
§ Process injection:
– Create child process;– Write code to an unnamed page file section/mapping;– Call ZwMapViewOfSection allowing child to access code– Queue an APC to execute it
§ Avoids:
– VirtualAllocEx– WriteProcessMemory– CreateRemoteThread– And most importantly: Trend Micro
§ Ryan Warns tested; FLARE disclosed late 2017
AV Evasion: Trend Micro
![Page 47: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/47.jpg)
©2018 FireEye
Four Months Later: Woohoo, New Feature!
![Page 48: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/48.jpg)
Author Characterization
![Page 49: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/49.jpg)
©2018 FireEye
§ Version 1 UUIDs (MAC addresses or timestamps)
– All standard
§ Paths
– VS files mostly reference drive O: as source root, except…
– C:\Users\hakurei reimu\AppData\Local\Temp– C:\Users\Igor\AppData\Local\Temp– E:\Projects\progs\Petrosjan\WndRec\...– E:\Projects\progs\sbu\WndRec\...
§ Nothing conclusive
Author Characterization
![Page 50: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/50.jpg)
Source Code Survey
![Page 51: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/51.jpg)
©2018 FireEye
Exploits
![Page 52: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/52.jpg)
©2018 FireEye
§ Sdrop – Runs nameExe param with system rights, research points to CVE-2013-3660
– Internals intersect with other win32k vulnerability “PathRec”, so CVE-2013-3660 not positively confirmed
§ NDProxy – NDProxy.sys exploit CVE-2013-5065 originally authored by secniu
§ PathRec – CVE-2013-3660 copied ~verbatim from Rapid7’s Metasploit repo
§ UACBypass – UAC bypass via DLL hijacking
§ COM – Disables elevation prompts/dialogs via IFileOperation COM interface
§ CVE-2014-4113 – win32k.sys privesc
§ BlackEnergy2
§ EUDC
Sploits
![Page 53: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/53.jpg)
©2018 FireEye
Passwords, Key Material, and Secrets
![Page 54: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/54.jpg)
©2018 FireEye
C2 Passwords, RSA private key, Test cert
![Page 55: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/55.jpg)
©2018 FireEye
§ Did find real NBIs
§ But all documented by FireEye intelligence
NBIs
![Page 56: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/56.jpg)
Were we right in our blog?
![Page 57: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/57.jpg)
©2018 FireEye
Our Carbanak Blog
§ Barry Vengerik and I wrote a blog on the Carbanak backdoor and its userbase a little over a year ago
§ Meant to supplement technical analysis previously reported by others 1, 2 and bring some novel insight into the operational details of the tool and its users
§ We shared some conclusions based on this research, but were they accurate?
1. https://securelist.com/files/2015/02/Carbanak_APT_eng.pdf2. https://www.fox-it.com/en/files/2014/12/Anunak_APT-against-financial-institutions2.pdf
![Page 58: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/58.jpg)
©2018 FireEye
Behind the Blog: Hunting for More Carbanak
§ Lots of Carbanak tickets submitted over the years
§ Samples would be easy to hunt for, but always packed
§ Could hunt for packed samples, but no useful data to extract
§ Generic automated unpacker + giant malware repo + Carbanak signatures = hundreds of unpacked Carbanak samples!!
§ After culling out samples that revealed customer sensitive data, still 220 samples to report on
![Page 59: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/59.jpg)
©2018 FireEye
Processing Carbanak Samples in Bulk§ Original compile time for template
samples
§ Command & Control (C2) protocol version
§ Campaign marker and configured C2 addresses/ports
![Page 60: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/60.jpg)
©2018 FireEye
Now that we have source code, let’s look back
![Page 61: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/61.jpg)
©2018 FireEye
Evidence for Build Tool§ Carbanak encrypts its strings to
make analysis harder
§ No two samples used the same string encryption table
§ Samples with identical compile times utilized different encryption keys and addresses for C2 comms
§ Data in binaries changed without recompiling
![Page 62: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/62.jpg)
And the source dump says…
![Page 63: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/63.jpg)
©2018 FireEye
![Page 64: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/64.jpg)
©2018 FireEye
Strings
builder.h
![Page 65: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/65.jpg)
©2018 FireEye
What About Those Template Binaries?
![Page 66: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/66.jpg)
©2018 FireEye
Rapid Builds§ Spanning just over 2 years, 57 unique compile times discovered
§ Despite having a build tool, samples were found with compile times within as low as 4 hours of each other
§ Several of these samples had the exact same configuration
§ Why the need to recompile so often??
![Page 67: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/67.jpg)
©2018 FireEye
Sample A Sample B
![Page 68: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/68.jpg)
And the source dump says…
![Page 69: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/69.jpg)
©2018 FireEye
#ifdef/#endif preprocessor directives determine whether code is “seen” by compilerConfigure macros before building project
![Page 70: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/70.jpg)
©2018 FireEye
Distributed Source Code Theory
§ Based on newer compile times using older C2 protocol versions
§ Probable that multiple, independent copies of Carbanak project exist
§ Source code might not be centralized, but distributed to various independent groups
Carbanak Sample•Compiled 2016-06-07
•Implements protocol version 4
•Protocol version 5 seen as early as 2016-04-22
![Page 71: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/71.jpg)
How’s my reversing? [ID: @jtbennetjr]
![Page 72: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/72.jpg)
©2018 FireEye
My analysis Source view
![Page 73: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/73.jpg)
©2018 FireEye
My analysis Source view
![Page 74: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/74.jpg)
©2018 FireEye
My analysis Source view
![Page 75: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/75.jpg)
©2018 FireEye
My analysis Source view
![Page 76: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/76.jpg)
©2018 FireEye
My analysis Source view
![Page 77: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/77.jpg)
All done now, right?
![Page 78: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/78.jpg)
©2018 FireEye
“I thought you were done”
![Page 79: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/79.jpg)
©2018 FireEye
§ bot.dll: Carbanak – but who cares? J
§ wi.exe: configurable web injection
§ met.plug: Metasploit with stager for tinymet command
§ newdns.exe: Cobalt Strike DNS
§ pos.dll: Card scraper
§ vnc.plug, vnc64.plug, hvnc.plug, hvnc64.plug: assorted (hidden) VNC plugins
§ plugin_kl.exe: keystroke logger
§ AutorunSidebar.dll: Windows Gadget persistence (with source code!)
§ rdpwrap.dll: open 3389 in fw, enable mult. TermSvc conns
Other Binaries
![Page 80: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/80.jpg)
©2018 FireEye
§ bot.dll: Carbanak – but who cares? J
§ wi.exe: configurable web injection
§ met.plug: Metasploit with stager for tinymet command
§ newdns.exe: Cobalt Strike DNS
§ pos.dll: Card scraper
§ vnc.plug, vnc64.plug, hvnc.plug, hvnc64.plug: assorted (hidden) VNC plugins
§ plugin_kl.exe: keystroke logger
§ AutorunSidebar.dll: Windows Gadget persistence (with source code!)
§ rdpwrap.dll: open 3389 in fw, enable mult. TermSvc conns
Other Binaries
![Page 81: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/81.jpg)
©2018 FireEye
§ bot.dll: Carbanak – but who cares? J
§ wi.exe: configurable web injection
§ met.plug: Metasploit with stager for tinymet command
§ newdns.exe: Cobalt Strike DNS
§ pos.dll: Card scraper
§ vnc.plug, vnc64.plug, hvnc.plug, hvnc64.plug: assorted (hidden) VNC plugins
§ plugin_kl.exe: keystroke logger
§ AutorunSidebar.dll: Windows Gadget persistence (with source code!)
§ rdpwrap.dll: open 3389 in fw, enable mult. TermSvc conns
Other Binaries
![Page 82: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/82.jpg)
But That’s Not All
![Page 83: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/83.jpg)
©2018 FireEye
![Page 84: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/84.jpg)
©2018 FireEye
Desktop Video
§ Carbanak can record video of your desktop
§ Attackers purportedly viewed recorded desktop videos to gain understanding of operational workflow of bankers 1
§ Used this feature along with other features of Carbanak and other tools to insert fraudulent transactions and steal millions of dollars
§ Reversed video format and uncommented old source to make RDP player work for old video files we found
§ One such video was very interesting..
84
1. https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/
![Page 85: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/85.jpg)
The Attacker’s View
![Page 86: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/86.jpg)
©2018 FireEye
Desktop Video
Red teamer’s scratch pad of command line magic
![Page 87: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/87.jpg)
What does this mean?
![Page 88: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/88.jpg)
©2018 FireEye
Takeaways
§ Ironically, source code does not always elucidate
– Hard code is hard J
– Cross-references > grep
§ But naturally, source does come with unique discoveries
§ Carbanak: Lots of time on custom capabilities / But also, not averse to public/commercial tools
§ Confirmed theories from the blog
– Theories derived from hunting and post-processing scripts
– Even without source code, can still make accurate inferences
§ And… Vindicated! Tom’s binary analysis was spot on
– We don’t usually get the answer key! J
![Page 89: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/89.jpg)
©2018 FireEye
FIN7 via FireEye:
https://feye.io/fin7
@mykill@jtbennettjr
Mike & Tom on Twitter:
![Page 90: Здравствуйтэ, Carbanak! · ©2018 FireEye Behind the Blog: Hunting for More Carbanak § Lots of Carbanak tickets submitted over the years § Samples would be easy to hunt](https://reader033.vdocuments.net/reader033/viewer/2022051322/6037e712fcc8ca713873c9b2/html5/thumbnails/90.jpg)
©2018 FireEye
§ FIN7 via FireEye: https://feye.io/fin7
§ Carbanak via Other
– Kaspersky: securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/– Group IB and Fox-It: group-ib.com/files/Anunak_APT_against_financial_institutions.pdf
§ FIN7 using CobaltStrike: icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns
§ RSA priv key blob: msdn.microsoft.com/en-us/library/cc250013.aspx
§ Decrypting PFX (x509) files: msdn.microsoft.com/en-us/library/ms148440.aspx
§ Shellcode hashes: fireeye.com/blog/threat-research/2012/11/precalculated-string-hashes-reverse-engineering-shellcode.html
§ Shims: blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf
Resources