Carbanak Hackers Using Bateleur Backdoor

The financially-motivated Carbanak hacker group has added a new JScript backdoor to its cyber-weapons arsenal, along with updated macros, Proofpoint security researchers warn.

Also referred to as FIN7, the multinational gang of cybercriminals has been active for at least two years and has been associated with a variety of incidents this year. In 2015, Kasperskly Lab first outed the group, saying that had hit more than 100 banks across 30 countries and made off with up to one billion dollars over a period of roughly two years.

In early May, the group was said to have started using shims for process injection and persistence, only one week after adopting new phishing techniques, including the use of hidden shortcut files (LNK files) for target compromise.

Recently, the group started using new macros and a commodity backdoor called Bateleur in attacks against United States-based chain restaurants, Proofpoint reveals. Previously, the group had been targeting hospitality organizations, retailers, merchant services, suppliers and others.

The security researchers also note that both the new macros and the backdoor use sophisticated anti-analysis and sandbox evasion techniques. The group started using macro documents to drop the previously undocumented JScript backdoor in June, marking a switch from their customary GGLDR payload. Both the macro and the malware have seen multiple updates since June.

Depending on the type of account the spam email is sent from (i.e. Outlook, Gmail), the attachment document packs a matching lure by claiming that the document as encrypted by the mail service’s Protect Service. The macro-enabled document grabs the malicious payload from a caption, saves the content to debug.txt, then creates a scheduled task to execute debug.txt as a JScript. The macro sleeps for 10 seconds, then deletes the scheduled task

The malicious JScript – which is the Bateleur backdoor – has anti-sandbox and anti-analysis (obfuscation) functionality. 

The malware can also retrieve a PowerShell command containing a payload capable of retrieving user account credentials, meaning that it could also potentially target user’s passwords with the help of an additional module, Proofpoint says.

Proofpoint has observed the malware jump from version 1.0 to over the course of a single month and reveals that several commands were added with the update, including the ability to execute a fetched EXE or PowerShell commands via WMI.

“Although Bateleur has a much smaller footprint than GGLDR/HALFBAKED, lacks basic features such as encoding in the C&C protocol, and does not have backup C&C servers, we expect the Bateleur developer(s) may add those features in the near future,” the security researchers say.

Proofpoint claims it has determined with a high degree of certainty that Bateleur is being used by the FIN7/Carbanak group, and also provides some evidence to sustain the claim.

In June, similar messages separately dropped GGLDR and Bateleur to the same target, and the timing and similarity suggest the same actor was behind all of them, especially with some messages “sharing very similar or identical attachment names, subject lines, and/or sender addresses.”

Bateleur was also observed downloading the Tinymet Meterpreter downloader, a tool employed by Carbanak hackers since at least as far back as 2016. A new command tinymet recently added to the FIN7-linked GGLDR/HALFBAKED backdoor was also observed downloading a JScript version of the Tinymet Meterpreter downloader.

“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection. The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” the security researchers conclude.

Related: Carbanak Hackers Use Shims for Process Injection, Persistence

RelatedFIN7 Hackers Change Phishing Techniques

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire: