We have further information regarding recent media events reported regarding the cybercriminals dubbed “Carbanak” by Kaspersky Labs, attacking banks and other financial services companies to transfer funds.

What We Know
  • Several Indicators of Compromise (IoC’s) have been listed within the Kaspersky report.
  • As appropriate, the IP addresses listed within the IoC’s have been blacklisted within eSentire’s Asset Manager Protect (AMP) module.
  • eSentire has performed a “Targeted Retrospection” review of saved forensic data across our entire client base, searching for these IoC’s
  • Through this “Targeted Retrospection”, we have found no evidence whatsoever that any eSentire client has been subject to a successful exploit by the “Carbanak” cybercrime group. 
  • On a daily basis, eSentire deals with these (and many other) malware attacks as part of standard operating procedure and will continue to do so going forward.
  • Nevertheless, we highly recommend that our clients use every defense method at their disposal to reduce the attack surface and susceptibility to exploitation.
eSentire Defenses
eSentire features that help protect you:
  • EXEcutioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it.  If you would like the EXEcutioner enabled, please contact the ESOC.
  • AMP can stop the communication to known command and control servers.  This service is enabled by default for our customers.
  • Behavioral analysis tools can detect anomalous network behavior.
  • The ESOC can quarantine suspected systems at your direction or based on established policy.

Further (Future) Protection
How to further protect yourself from these (and other) emerging threats:
  • Ensure that all Microsoft Office products are up-to-date.
  • EMET can help further prevent memory protection bypasses (microsoft.com/emet)
  • Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
  • User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources
  • Remind users to be cautious when clicking on links in emails coming from trusted sources

If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against malware infections because it can require all programs to be signed by a legitimate software publisher.

  • Create a new GPO.
  • Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies and AppLocker.
  • Click Configure Rule Enforcement.
  • Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  • In the left pane, click Executable Rules
  • Right-click in the right pane and select Create New Rule.
  • On the Before You Begin screen, click Next.
  • On the Permissions screen, click Next.
  • On the Conditions screen, select the Publisher condition and click Next.
  • Click the Browse button and browse to any executable file on your system. It doesn't matter which.
  • Drag the slider up to Any Publisher and then click Next.
  • Click Next on the Exceptions screen.
  • Name the policy something like "Only run executables that are signed" and click Create.
  • If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here. 


Original Release: securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Open Indicators of Compromise List: securelist.com/files/2015/02/c36e528f-d48e-4ad0-b822-da1c610e9710.ioc

eSentire Media Contact

Ready to start the conversation?

Let's Talk