Recently there have been media reports regarding cybercriminals (dubbed “Carbanak” by Kaspersky Labs) attacking banks and other financial services companies to transfer funds.
What We Know
- This is not a “recent” attack (though the attack vectors are still “live”).
- This malware attack appears to stem from a “phishing” attack through vulnerabilities in Microsoft Office.
- Several Indicators of Compromise (IoC’s) have been listed within the Kaspersky report.
- On a daily basis, eSentire deals with these (and many other) malware attacks as part of standard operating procedure.
- Several of the IP addresses listed within the IoC’s were blacklisted within eSentire’s Asset Manager Protect (AMP) Blacklist before the Kaspersky advisory was released.
eSentire features that help protect you:
- Based on the IoC’s disclosed, we are currently running a “Targeted Retrospective” review of saved forensic data across our entire client base to confirm an “All Clear” status regarding this particular exploit. The ESOC will only contact customers if a risk is identified within our forensic review.
- EXEcutioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it. If you would like the EXEcutioner enabled, please contact the ESOC.
- AMP can stop the communication to known command and control servers. This service is enabled by default for our customers.
- Behavioral analysis tools can detect anomalous network behavior.
- The ESOC can quarantine suspected systems at your direction or based on established policy.
Further (Future) Protection
How to further protect yourself from these (and other) emerging threats:
- Ensure that all Microsoft Office products are up-to-date.
- EMET can help further prevent memory protection bypasses (microsoft.com/emet).
- Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
- User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
- Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
- Remind users to be cautious when clicking on links in emails coming from trusted sources.
- If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against malware infections because it can require all programs to be signed by a legitimate software publisher.
- Create a new GPO.
- Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
- Click Configure Rule Enforcement.
- Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
- In the left pane, click Executable Rules.
- Right-click in the right pane and select Create New Rule.
- On the Before You Begin screen, click Next.
- On the Permissions screen, click Next.
- On the Conditions screen, select the Publisher condition and click Next.
- Click the Browse button and browse to any executable file on your system. It doesn't matter which.
- Drag the slider up to Any Publisher and then click Next.
- Click Next on the Exceptions screen.
- Name the policy something like "Only run executables that are signed" and click Create.
- If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.
Original Release: securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Open Indicators of Compromise List: securelist.com/files/2015/02/c36e528f-d48e-4ad0-b822-da1c610e9710.ioc