A major Canadian corporation is among those in the hospitality industry in several countries whose financial activities have been compromised by a Microsoft Word-based macro attack that appears to be orchestrated by criminal groups working together, according to a security vendor.
A spokesperson for the SpiderLabs at Trustwave said the name of the company couldn’t be released, but said the attackers bought fake identities to buy legitimate digital certificates as part of the scheme. The actors are even using cloud services including Google Docs spreadsheets, Google Forms and Pastebin.com for command and control to keep track of infected systems.
Word of the attack first spread Jan. 1 in the Tr1adx Intelligence Bulletin. On Tuesday Forcepoint Security Labs issued a report with more detail which it tied to the Carbanak/Anunak criminal gang. This group was first discovered in 2015, but this new Carbanak attack campaign — apparently dating back to the fall of 2016 — uses weaponized Office documents hosted on mirrored domains to distribute malware. On Wednesday Trustwave added to the information with a report on the campaign (registration required), which it calls “Grand Mars” after the name that cyber criminals used in one of the digital certificates purchased from Comodo Group.
“The motivation of this operation appears to be financial gain, total control of the infrastructure and collection of bots within the victim organizations,” says Trustwave. “The forensics investigation and analysis indicates that these activities had been performed by different individuals or different groups of people, leading us to conclude that several malicious groups had co-operated in this operation with each group holding its own role and task. It soon became obvious that we were dealing with organized crime responsible for establishing this complex system of network hosts and large numbers of malicious files in order to perform the attacks against multiple victims.”
The attack vector is an email message with a Microsoft Word document as an attachment. Once the attachment was opened multiple malicious files were created or downloaded allowing the attackers to gain some level of access into the victim’s infrastructure,” says Trustwave. “In some cases, attackers actually called the victims over the phone, a social engineering vector, in order to trick them into opening the attachments.”
Once infected several pass the hash techniques were performed to escalate privileges, says Trustwave, while persistence was achieved by utilizing scheduled tasks and several of the operating system’s auto-start locations. Ultimately these actions allowed the attackers to gain domain or even enterprise admin level access to the network and install memory-resident malware.
The use of common cloud services for command and control is cunning since most enterprise networks allow access to these services. As Trustwave notes it is almost impossible to blacklist them. “The Carbanak actors continue to look for stealth techniques to evade detection,” says Forcepoint. “Using Google as an independent C&C channel is likely to be more successful than using newly created domains or domains with no reputation.”
A typical message sent to a hotel would say the sender wants to book rooms for employees, with an attachment purporting to be a list of guest names. Because the default setting in Microsoft Word prevents macros from being executed a gang member calls the hotel and asks that the attachment be opened, thus ensuring infection. If an unsuspecting employee tries to open the document themselves, a warning will pop up — but the malware includes instructions on by-passing the safety control.
“It is highly recommended that organizations within the retail, e-commerce and hospitality industries implement strategic countermeasures immediately,” says Trustwave. “Undertake a thorough compromise assessment proactively rather than wait for the first signs of attack.”
A comprehensive threat hunt, using information and indicators of compromise these reports is also recommended.
All staff have to — again — be reminded of security policies including being aware of email with attachments. IT has to disable execution of VBS/VBE/macros from Internet based documents, says Trustwave, minimize the number and usage of administrator accounts and change local user and admin passwords regularly.
Since the malware is primarily memory resident, with no disk or file-system level changes made to the host system, IT should watch for service(s) with randomized names installed and started on systems and other indicators of compromise.