New Trojan malware attack targets restaurant chains
The backdoor Trojan is named after the Bateleur Eagle.
Image: iStockA notorious hacking group is back with a new method of distributing trojan malware with the aim of creating backdoors into the networks of restaurant chains across the US.
Dubbed Bateleur - after a breed of eagle - by the researchers at Proofpoint who uncovered it, this backdoor is thought the work of Carbanak, a group which which focuses its attacks on financial targets.
The group has stolen over $1 billion from banks worldwide and it's thought the group is behind a string of other attacks.
Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers, but this time it is attempting to infiltrate chain restaurants in order to create a backdoor into Windows systems with the aim of taking screenshots, stealing passwords, executing commands and more.
In order to increase chances of infection without remaining detected, the Javascript backdoor is accompanied by new macros and anti-analysis and sandbox evasion techniques in order to cloak activity.
As with many cyberattacks, a phishing email is used to lure in the target. The message is sent from an Outlook address or a Gmail and claims to contain information about a previously discussed check in an attached Word document.
A phishing email used to distribute the malware to targets.
Image: ProofpointThe attachment claims the document is encrypted and protected by 'Outlook Protect Service' or 'Google Documents Protect Service' depending on the address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.
If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks in an attempt to avoid detection.
Researchers describe the Jscript as having "robust capabilities" including anti-sandbox functionality and anti-analysis obfuscation. It's also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself and taking screenshots.
In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command and control server in order to work. Currently, the malware lacks some of the features required to do this, nor does it have backup servers, but researchers expect these to be added in the near future - especially given the persistent nature of the attackers.
Proofpoint have identified Carbanak as the perpetrators of this campaign and the new backdoor with "a high degree of certainty" due to some telltale signs.
Firstly, similar messages have been sent to the same targets, but attempting to deliver messages containing GGLDR, a malicious script associated with Carbanak's VBScript malware.
Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, a process which has repeatedly been observed being used by the group.
Researchers also note that the Powershell password grabber utilized by Bateleur contains an identical Dynamic-link library as one found embedded in GGLDR samples.
"The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group's expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines," Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.
READ MORE ON CYBERCRIME
from Latest Topic for ZDNet in... http://ift.tt/2u0F1VR