Carbanak

Recently there have been media reports regarding cybercriminals (dubbed “Carbanak” by Kaspersky Labs) attacking banks and other financial services companies to transfer funds.

What We Know

• This is not a “recent” attack (though the attack vectors are still “live”).
• This malware attack appears to stem from a “phishing” attack through vulnerabilities in Microsoft Office.
• Several Indicators of Compromise (IoC’s) have been listed within the Kaspersky report.
• On a daily basis, eSentire deals with these (and many other) malware attacks as part of the standard operating procedure.
• Several of the IP addresses listed within the IoC’s were blacklisted within eSentire’s Asset Manager Protect (AMP) Blacklist before the Kaspersky advisory was released.
  
  

eSentire Defenses

eSentire features that help protect you:

• Based on the IoC’s disclosed, we are currently running a “Targeted Retrospective” review of saved forensic data across our entire client base to confirm an “All Clear” status regarding this particular exploit. The ESOC will only contact customers if a risk is identified within our forensic review.
• EXEcutioner can stop the download of malicious payloads over HTTP if you have instructed ESOC to enable it. If you would like the EXEcutioner enabled, please contact the ESOC.
• AMP can stop the communication to known command and control servers. This service is enabled by default for our customers.
• Behavioral analysis tools can detect anomalous network behavior.
• The ESOC can quarantine suspected systems at your direction or based on established policy.
  
  

Further (Future) Protection

How to further protect yourself from these (and other) emerging threats:

• Ensure that all Microsoft Office products are up-to-date.
• EMET can help further prevent memory protection bypasses (microsoft.com/emet).
• Configure Windows to display full file extensions (This will stop attackers from masking executable files as common files).
• User awareness (Infections are occurring from users clicking on a malicious payload that is being shipped via spam email attachments).
• Remind users not to visit untrusted websites or follow links provided by unknown or un-trusted sources.
• Remind users to be cautious when clicking on links in emails coming from trusted sources.
• If you are running Windows 7 Ultimate/Enterprise or Windows 8 Pro/Enterprise you have the ability to use AppLocker. AppLocker is able to defend against malware infections because it can require all programs to be signed by a legitimate software publisher.
• Create a new GPO.

• Right-click on it to edit, and then navigate through Computer Configuration, Windows Settings, Security Settings, Application Control Policies, and AppLocker.
• Click Configure Rule Enforcement.
• Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
• In the left pane, click Executable Rules.
• Right-click in the right pane and select Create New Rule.
• On the Before You Begin screen, click Next.
• On the Permissions screen, click Next.
• On the Conditions screen, select the Publisher condition and click Next.
• Click the Browse button and browse to an executable file on your system. It doesn't matter which.
• Drag the slider up to Any Publisher and then click Next.
• Click Next on the Exceptions screen.
• Name the policy something like "Only run executables that are signed" and click Create.
• If this is your first time creating an AppLocker policy, Windows will prompt you to create default rules -- go ahead and click Yes here.

Resources

Original Release: securelist.com/files/2015/02/Carbanak_APT_eng.pdf
Open Indicators of Compromise List: securelist.com/files/2015/02/c36e528f-d48e-4ad0-b822-da1c610e9710.ioc