When it comes to threat investigations, we often treat the malicious binary as the smoking gun or the crown jewel of the investigation. However, examining the other components can produce the bigger picture that will be far more detailed than simply focusing on the binary.
By looking beyond one malicious file, we were able to determine that a slew of seemingly unrelated phishing emails were in fact, part of a campaign targeting banks and financial institutions across the globe. The attackers used other banks’ email accounts to send the phishing emails to their targeted banks in order to gain access and remotely control their computers. We are calling this campaign “Cuckoo Miner.” The attackers’ method of taking over legitimate inboxes to prey on victims echoes the cuckoo’s distinct act of tricking other birds into raising its chick by taking over their nests.
The Beginnings of Cuckoo Miner
Imagine this scenario: at one branch office of a large financial institution, a remittance clerk named Bob has just received an email. At first glance, the email appears normal – it contained a one-liner text, followed by another bank’s corporate signature, as well as a Microsoft Word document file titled ammendment.doc.
Figure 1. “Spammed” email
Bob opens the document to discover this message: “Hey….” Finding this a little odd, Bob closes the Microsoft Word document and deletes the email to move on to the next email in his inbox. Little does he know that, by opening the Microsoft Word document, he had opened up his workstation—and the branch office—to the world.
Bob’s situation was not isolated. It was actually part of a broad yet targeted attack. On August 4, the Trend Micro™ Smart Protection Network™ observed the same email lure being sent to employees of banking and financial institutions whose email servers are located (on-premise or on cloud services) in at least 17 countries, including India, Switzerland, and the US. The targeted institutions are actually based in the EMEA and APAC regions. The email had a specific list of recipients and had only sent the email during that specific day to avoid being detected.
Figure 2. Location of affected servers
Multiple RAT Use
The Microsoft Word document contained an attack that exploited CVE-2015-1770 that dropped another file that has spawned another process called svchost.exe. Svchost.exe is actually a remote access Trojan (RAT) called Utility Warrior.
Figure 3. svchost.exe
Rather than rely on one RAT (Utility Warrior), we learned that the threat actors employed several for attacks that occurred throughout several months. Tracing activity as early as January, 2015, we can see that there is mostly an overlap in the usage of the RATs by the threat actors.
Figure 4. Timeline of RATs used
Once a RAT has performed its call-back to the server, the threat actors would have free reign on the terminal. The RATs have the capability to look into the host’s resources, installed programs, and sift through the data within the endpoint. The RATs deployed also have the capability to directly download information from the endpoint.
The wide variety of RATs employed by the threat actors indicate active involvement within the malware circles and may be very well connected. It is also observed that the threat actors are eager to try out new RAT builds and quickly integrating these newer RATs in their attacks.
Certificate Reuse and CARBANAK Ties
Majority of the RATs were digitally signed with valid certificates issued to “ELVIK OOO” and several were reused. By definition, the serial number in a certificate is a number issued by the certificate issuer or certificate authority and must be unique for each certificate.
Figure 5. Sample certificate
It would be worth noting that we have also seen an Anunak (aka CARBANAK) sample that was found to be signed using this certificate. And what’s even more significant is the reference to “arablab“:
Figure 6. Arablab marker
As seen in the packet capture, the combination of ArabLab0 (marker) and followed by e4fd2f290fde5395 (a 16 byte string ) comprises the BOT ID which, in this case, is ArabLab0e4fd2f290fde5395.
The bot identification is an alluding reference to one discovery that we have found by our earlier research last June 2014. We have identified “arablab” as a threat actor that had been using Citadel and Zeus when targeting banks. Furthermore, it should also be noted that “arablab” has utilized malicious Microsoft Office documents exploiting CVE-2010-3333 to target certain individuals, as well as participating in the so-called Nigerian or 419 scams. The attacks may differ but the end-game remains the same: access to money.
In order to further map out the relationships between the different malware, URL and email components, we have provided two relationship diagrams below. (click to enlarge)
From dropping different RATs that are used in a short span of time to employing files with digital signatures to circumvent any solution that may perform checks – we can see that the threat actors are staying updated by increasing their arsenal and expand their victim base for each run. They are also well connected to services revolving to cybercrime and other threat actors.
Similar to how the threat actors have evolved, an organization can take advantage of other technological advancements of their security software. For example, on-the-fly pre-execution of email attachments, or content simulation, and evaluation of URLs to filter emails before they reach the end-user would greatly enhance the security posture of an environment.
One solution would be utilizing the Connected Threat Defense, specifically the integration of any mail scanning solution (such as InterScan Messaging Security or ScanMail) to the Deep Discovery Analyzer, a custom sandbox analysis. The Deep Discovery Analyzer allows creation of custom sandboxing environments to precisely match the target desktop software configuration, ensuring that the evaluated behavior is based on what would happen should it reach an actual endpoint, thereby granting administrators the capability to configure the actions to perform on analyzed emails based on the company’s security level policy. Deep Discovery Analyzer dynamically creates and flags indicators, or suspicious objects, based on their potential to expose systems to danger or loss and is shared to Trend Micro Control Manager. Products integrated with Trend Micro Control Manager can take advantage of these dynamically created suspicious object lists and take an active (block or quarantine) or passive (log-only) action.
More information about this operation, as well as detailed information about security measures, can be found in the threat brief, The Cuckoo Miner Campaign: Nigerian Cybercriminals Targeting Banks.