Summary

Total Articles Found: 1

Top sources:

Top Keywords:

Top Authors

Top Articles:

  • CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

Published: 2019-04-23 17:45:00

Popularity: 76

Author: Michael Bailey

Keywords:

  • James T. Bennett
  • Malware
  • Threat Research
  • CARBANAK
  • FLARE
  • Michael Bailey
  • Latest Blog Posts
  • Homepage Carousel
  • 🤖: "Hacked again"

    FireEye has observed the certificate most recently being served on the following IPs (Table 4):

    IP

    Hostname

    Last Seen

    104.193.252.151:443

    vds2.system-host[.]net

    2019-04-26T14:49:12

    185.180.196.35:443

    customer.clientshostname[.]com

    2019-04-24T07:44:30

    213.227.155.8:443

     

    2019-04-24T04:33:52

    94.156.133.69:443

     

    2018-11-15T10:27:07

    185.174.172.241:443

    vds9992.hyperhost[.]name

    2019-04-27T13:24:36

    109.230.199.227:443

     

    2019-04-27T13:24:36

    Table 4: Recent Test Company certificate use

    While these IPs have not been observed in any CARBANAK activity, this may be an indication of a common developer or a shared toolkit used for testing various malware. Several of these IPs have been observed hosting Cobalt Strike BEACON payloads and METERPRETER listeners. Virtual Private Server (VPS) IPs may change hands frequently and additional malicious activity hosted on these IPs, even in close time proximity, may not be associated with the same users.

    I also parsed an unprotected private key from the source code dump. Figure 4 and Table 5 show the private key parameters at a glance and in detail, respectively.


    Figure 4: Parsed 512-bit private key

    Field

    Value

    bType

    7

    bVersion

    2

    aiKeyAlg

    0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

    Magic

    RSA2

    Bitlen

    512

    PubExp

    65537

    Modulus

    0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

    20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

    EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

    57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

    P

    8B 01 8F 7D 1D A2 34 AE CA B6 22 EE 41 4A B9 2C

    E0 05 FA D0 35 B2 BF 9C E6 7C 6E 65 AC AE 17 EA

    Q

    81 69 AB 3D D7 01 55 7A F8 EE 3C A2 78 A5 1E B1

    9A 3B 83 EC 2F F1 F7 13 D8 1A B3 DE DF 24 A1 DE

    Dp

    B5 C7 AE 0F 46 E9 02 FB 4E A2 A5 36 7F 2E ED A4

    9E 2B 0E 57 F3 DB 11 66 13 5E 01 94 13 34 10 CB

    Dq

    81 AC 0D 20 14 E9 5C BF 4B 08 54 D3 74 C4 57 EA

    C3 9D 66 C9 2E 0A 19 EA C1 A3 78 30 44 52 B2 9F

    Iq

    C2 D2 55 32 5E 7D 66 4C 8B 7F 02 82 0B 35 45 18

    24 76 09 2B 56 71 C6 63 C4 C5 87 AD ED 51 DA 2ª

    D

    01 6A F3 FA 6A F7 34 83 75 C6 94 EB 77 F1 C7 BB

    7C 68 28 70 4D FB 6A 67 03 AE E2 D8 8B E9 E8 E0

    2A 0F FB 39 13 BD 1B 46 6A D9 98 EA A6 3E 63 A8

    2F A3 BD B3 E5 D6 85 98 4D 1C 06 2A AD 76 07 49

    Table 5: Private key parameters

    I found a value named PUBLIC_KEY defined in a configuration header, with comments indicating it was for debugging purposes. The parsed values are shown in Table 6.

    Field

    Value

    bType

    6

    bVersion

    2

    aiKeyAlg

    0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

    Magic

    RSA1

    Bitlen

    512

    PubExp

    65537

    Modulus

    0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

    20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

    EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

    57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

    Table 6: Key parameters for PUBLIC_KEY defined in configuration header

    Network Based Indicators

    The source code and binaries contained multiple Network-Based Indicators (NBIs) having significant overlap with CARBANAK backdoor activity and FIN7 operations previously observed and documented by FireEye. Table 7 shows these indicators along with the associated FireEye public documentation. This includes the status of each NBI as it was encountered (active in source code, commented out, or compiled into a binary). Domain names are de-fanged to prevent accidental resolution or interaction by browsers, chat clients, etc.

    NBI

    Status

    Threat Group Association

    comixed[.]org

    Commented out

    Earlier CARBANAK activity

    194.146.180[.]40

    Commented out

    Earlier CARBANAK activity

    aaaabbbbccccc[.]org

    Active

     

    stats10-google[.]com

    Commented out

    FIN7

    192.168.0[.]100:700

    Active

     

    80.84.49[.]50:443

    Commented out

     

    52.11.125[.]44:443

    Commented out

     

    85.25.84[.]223

    Commented out

     

    qwqreererwere[.]com

    Active

     

    akamai-technologies[.]org

    Commented out

    Earlier CARBANAK activity

    192.168.0[.]100:700

    Active

     

    37.1.212[.]100:700

    Commented out

     

    188.138.98[.]105:710

    Commented out

    Earlier CARBANAK activity

    hhklhlkhkjhjkjk[.]org

    Compiled

     

    192.168.0[.]100:700

    Compiled

     

    aaa.stage.4463714.news.meteonovosti[.]info

    Compiled

    DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity

    193.203.48[.]23:800

    Active

    Earlier CARBANAK activity

    Table 7: NBIs and prevously observed activity

    Four of these TCP endpoints (80.84.49[.]50:443, 52.11.125[.]44:443, 85.25.84[.]223, and 37.1.212[.]100:700) were new to me, although some have been documented elsewhere.

    Conclusion

    Our analysis of this source code dump confirmed it was CARBANAK and turned up a few new and interesting data points. We were able to notify vendors about disclosures that specifically targeted their security suites. The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match, and as they say, if the shoe fits, wear it. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware. The authors mainly refer to the malware as “bot” in the Visual Studio project, filenames, source code comments, output binaries, user interfaces, and manuals.

    The breadth and depth of this analysis was a departure from the usual requests we receive on the FLARE team. The journey included learning some Russian, searching through a hundred thousand of lines of code for new information, and analyzing a few dozen binaries. In the end, I’m thankful I had the opportunity to take this request.

    In the next post, Tom Bennett takes the reins to provide a retrospective on his and Barry Vengerik’s previous analysis in light of the source code. Part Four of CARBANAK Week is available as well.

    ...more

    end