Image from  Shutterstock.com (c) Maksim Kabakou
Image from Shutterstock.com (c) Maksim Kabakou

Contact centre agents should be warned about allowing alleged customers sending them email with attachments after a security vendor discovered a new wave of attacks against three customers including North American hospitality companies, attacks similar to ones from the Eastern European based Carbanak crime group

In a blog posted Monday, Trustwave said it came to that conclusion after investigating incidents.

In one instance an attacker called a customer contact line saying that they were unable to use the online reservation system so wanted to send their information to the agent by email attachment, said the report. The attachment was a malicious Word document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware. The malware replaced text in a Word document with that of its own, which to the agent looks like a request for information from the hotel for a corporate function.

The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it. “This malware was capable of stealing significant system and network information,” says Trustwave.  “It was also used to download several other reconnaissance tools to map out the network.” Downloaded tools have included Nmap, FreeRDP, NCat, NPing, and others.

Beaconing messages are sent out to 179.43.133.34 via standard HTTP GET requests every five minutes, said Trustwave, to let a command and control server know a system has been compromised.  “Using this simple methodology allows the beaconing to hide very well within standard corporate network traffic.”  However, the report adds, its uniformity of structure also allows analysts to identify it relatively quickly as well.

If not stopped, however, the process downloads malware that executes a new iteration of svchost.exe and injects its malicious code into this running process.  This hides the malware within the svchost.exe process. It then searches Kaspersky antivirus processes and terminates them if running on the victim system.

It then downloads kldconfig.exekldconfig.plug, and runmem.wi.exe, which Trustwave says are all well-known Carbanak malware tools. Variations of them were used in the banking intrusions in 2015.  Additionally, the decrypted code references “anunak_config” which is the encrypted configuration file that it downloads from its control server. The Anunak crime group is generally believed to be synonymous with Carbanak.

“This malware is very multi-functional as it can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems (which Carbanak used so effectively in recent banking attacks), or install completely different remote desktop programs, such as VNC or AMMYY … Finally, this malware, like so many others, is designed to target credit card data by scraping memory on Point-of-Sale systems., which is presumably the end goal.”

In short, “the attacker uses social engineering to gain their foothold in the victim network, downloads reconnaissance tools to scan the network and move laterally into the card holder data environment, and then infects systems able to process card transactions.”

“The persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave.” says author Brian Hussey, the company’s director of global incident readiness and response. “The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.”