Connect with us

Hi, what are you looking for?



Carbanak Hackers Hit Hospitality Firms With New Tactics

The prolific Carbanak crime group has recently zoned in on the hospitality sector and adopted a new attack methodology, Trustwave security researchers warn.

The prolific Carbanak crime group has recently zoned in on the hospitality sector and adopted a new attack methodology, Trustwave security researchers warn.

The security firm analyzed three separate attacks, two targeting hospitality clients and one aimed at a restaurant chain, and found that all three featured the modus operandi of the infamous hacking group. Carbanak, also known as Anunak, managed to steal as much as $1 billion from more than 100 banks across 30 countries, and reemerged this year, targeting banks in the in the Middle East and U.S.

The attackers used social engineering in the new incidents: they would call customer service saying they couldn’t make a reservation and requested to send information via email. The email message contained a malicious Microsoft Word document with an encoded .VBS script to steal system information and screenshots, and download additional malware. The attackers would reportedly stay on the phone until they had confirmation of a successful attack.

The malicious script uses macros to search for running Word instances and replaces their content with attacker-generated text. Next, a compromised system connects to hxxp:// to download additional malware (AdobeUpdateManagementTool.vbs).

This malicious program creates folders on the compromised systems and adds files to them, adds a persistence mechanism, creates a scheduled task to call the vbs, creates a service to call the vbs, and drops a Shockwave Flash icon and disguises itself as such. The malware was observed contacting a few websites, as well as several command and control (C&C) servers.

Trustwave researchers say that this threat can steal system and network information and can download reconnaissance tools to map out the network. Some of the downloaded utilities include Nmap, FreeRDP, NCat, NPing, and others. It would also grab el32.exe and el64.exe, which are privilege escalation exploits for 32 and 64 bit architectures.

This piece of malware, researchers say, was mainly responsible for the reconnaissance stage of the attack, in addition to downloading malicious apps to set up for the next stage of the attack. It could also execute Powershell scripts on command.

Advertisement. Scroll to continue reading.

The malware sends beaconing messages via standard HTTP GET requests every 5 minutes, which allows it to hide within standard corporate network traffic. What’s more, the content of the GET request is encoded with Base64 and secondarily encrypted with RC4. The purpose of beaconing is for the attacker to know that the infected system is available for further exploitation.

In the second stage of the attack, the malware identified as bf.exe executes a new iteration of svchost.exe and injects its malicious code into this running process to hide itself. Next, it drops a pseudo-randomly named configuration file into the %ProgramData%Mozilla folder, with a base64 encoded name based on the infected system’s MAC code, and with a .bin extension.

The malware also searches the infected system for Kaspersky antivirus processes and terminates them, after which it registers itself as a randomly-named service with the “C:Documents and SettingsAll UsersApplication DataMozillasvchost.exe” path.

After this step has been completed, the malware downloads well-known Carbanak malware, namely kldconfig.exe, kldconfig.plug, and runmem.wi.exe. The decrypted string references “anunak_config,” which researchers say is the encrypted configuration file downloaded from the C&C server.

The malware can enable remote desktop, steal local passwords, search user’s email, target IFOBS banking systems, install remote desktop programs such as VNC or AMMYY, and also target credit card data by scraping memory on Point-of-Sale systems. In addition to allowing for the remote command of the infected system, the malware also communicates with two encrypted addresses and exfiltrates data to them via HTTP POST messages, using base64+RC2 encryption.

While following a common series of events (the social engineering lure, establishing remote control of victim system and downloading additional tools, conducting reconnaissance on the network to expand foothold, and exfiltrating payment card information and/or personally identifiable information), the campaign shows an unusual level of persistence, professionalism, and pervasiveness.

“The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient,” Trustwave researchers say.

Related: New Trojan Used in Attacks Against SWIFT Member Banks

Related: Hackers Steal Money from Banks via APT-Style Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


ENISA and CERT-EU warn of Chinese threat actors targeting businesses and government organizations in the European Union.