**Log in** # The Shadows of Ghosts: Inside the Response of a Unique Carbanak Intrusion **Blog Post created by** **Jack Riley** **on Dec 4, 2017** **•** **0** **Comment •** **0** **RSA Incident Response White Paper: Inside the Response of a Unique CARBANAK** **Intrusion** **RSA Incident Response and Discovery Practice (RSA IR) analysts spend a significant�** **amount of time engaged in the research, hunting, and effective response of advanced�** **and persistent actors. A customer engagement early-to-mid-2017 is an excellent** **example of a unique case in which RSA IR successfully responded to an intrusion** **perpetrated by the threat actor group** **[CARBANAK](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fkrebsonsecurity.com%2Ftag%2Fcarbanak%2F)** **, also known as FIN7. The** **CARBANAK actions illustrated in this post and associated paper were observed with** **other RSA clients as recently as November 2017, with the methods and intelligence** **supplied by these publications having been used successfully to detect and track** **attacker activities.** **Several intrusions associated with the CARBANAK actors have been reported within the last** **[year, describing compromises of organizations within banking](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.bankinfosecurity.com%2Fsophisticated-carbanak-banking-malware-returns-upgrades-a-8523)** **[, financial�](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fkrebsonsecurity.com%2F2017%2F03%2Fpayments-giant-verifone-investigating-breach%2F)** **[, hospitality](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fkrebsonsecurity.com%2F2017%2F10%2Fhyatt-hotels-suffers-2nd-card-breach-in-2-years%2F)** **,** **[and restaurant](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.scmagazine.com%2Fcarbanak-backdoor-malware-targeting-us-restaurant-chains%2Farticle%2F680041%2F)** **verticals. However, they all describe a relatively equivalent progression,** **with only slight deviation in specific attacker actions. The intelligence surrounding�** **[recent CARBANAK incidents indicate that phishing attacks](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.fireeye.com%2Fblog%2Fthreat-research%2F2017%2F03%2Ffin7_spear_phishing.html)** **have been the groupʼs** **primary method of initial compromise. After gaining access to a user system, the attackers** **move laterally throughout the environment, conduct internal reconnaissance, establish** **staging points and internal network paths, harvest credentials, and move towards their** ----- **attackers to quickly gain administrative access within the clientʼs Linux environment. This** **intrusion presented substantial challenges due to:** **The initial intrusion vector** **Unique attacker toolset** **The attacker dwell time** **The large, heterogeneous environment** **The speed with which the attackers gained administrative access** **The forensic mindfulness of the CARBANAK attackers** **The attackersʼ toolset was a mix of custom tools, freely available code, and open source** **software utilities. RSA IR researched all 32 of the malicious files in the� CARBANAK toolset** **using various publicly available and open-source resources. Six of the tools used in this** **intrusion were found to have been uploaded to a publicly available anti-virus aggregation** **site. Of these six, five have little-to-no detection or indication of malice from antivirus�** **vendors. This observation explains why the clientʼs signature-based host protection** **mechanisms were unable to identify or prevent the use of these tools.** **Figure 1: Findings from Public and Open Source Research of Toolset Reference** **While the attackers used more than 30 unique samples of malware and tools, they also** **demonstrated a normalization across Windows and Linux with respect to their toolset. The** **toolsets they deployed can be broken down into five basic functionalities:�** ----- **Log Cleanup** **Credential Harvesting** **Internal Reconnaissance** **The ingress, lateral movement, and internal reconnaissance mechanisms used by the** **attackers during this investigation were not that sophisticated in and of themselves.** **However, when viewed in aggregate, and from an operational view, RSA observed the actors** **normalized their choice in toolset across the Linux and Windows environments. The** **attackers in this engagement primarily used modified versions of legitimate administrative�** **tools, commonly used penetration testing utilities, and common network file acquisition�** **tools. Though specialty malware was observed during this intrusion, the attackers used** **basic XOR encoding just above Layer 4 to facilitate communication, communicated via SSH** **tunnel directly over TCP/443, or just transmitted and received data in clear text across the** **network. Of the observed actions during this intrusion, none of the attacker tools,** **techniques, or procedures were particularly advanced. However, they were still able to** **bypass a significant security stack, obtain initial access and lateral access effectively, deploy** **malware and toolsets with impunity, and traverse over 150 systems in the span of six** **weeks. While, at first glance, this attack was not sophisticated in its toolset, it was�** **sophisticated in its operationalization and agility of attackersʼ actions. The correlations** **between the Linux environment tools and the Windows environment tools are shown below:** ----- **p** **Linux** **Windows** **Function** **Winexe** **Tinyp (PSEXEC** **Lateral Movement** **Variant)** **Auditunnel (Linux** **Auditunnel** **Ingress Tunneling** **Version)** **(Windows Version)** **PScan (Linux** **PScan (Windows** **Internal Recon** **Version)** **Version)** **WGet (Linux** **WGet (Windows** **Toolset Download** **Version)** **Version)** **SCP** **PSCP** **File Transfer** **[RSA IR released a white paper](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.rsa.com%2Fen-us%2Fresources%2Finside-the-response-of-a-unique-carbanak-intrusion-white-paper)** **containing an in-depth review of this engagement,** **including observed attacker operational patterns, TTPs, and the techniques used during this** **engagement to successfully track and respond to the threat. The observations illustrated in** **this paper identify that not only do CARBANAK actors have the capability to successfully** **compromise various operating system environments, they have standardized and** **operationalized this capability. This attribute indicates strategic operational thought and** **effort being invested in this groupʼs compromises, suggesting that the� CARBANAK actors** **are working towards becoming a more organized, structured, resourceful, and mature** **threat group.** **During an intrusion, time is the single most critical resource to an organizationʼs security** **team and is the most significant indicator of determining if the security team will be�** **successful in containing, eradicating, and remediating the extant threat. There are two** **specific sets of time related to an intrusion that may determine the difference between�** **success and failure: the time that the attackers are in the environment prior to detection** **(dwell time), and the time it takes security teams to identify, investigate, understand, and** **contain the attackerʼs actions (response time). In this specific incident, the attackerʼs dwell�** **time at intrusion declaration was 35 days, which is a significant amount of time given the�** **level of access immediately available upon compromise. However, by utilizing** **the** **[methodology and visibility described in this paper, RSA IR was able to complete](https://community.rsa.com/community/products/netwitness/blog/2016/12/01/new-hunting-guide-investigation-model)** |Linux|Windows|Function| |---|---|---| |Winexe|Tinyp (PSEXEC Variant)|Lateral Movement| |Auditunnel (Linux Version)|Auditunnel (Windows Version)|Ingress Tunneling| |PScan (Linux Version)|PScan (Windows Version)|Internal Recon| |WGet (Linux Version)|WGet (Windows Version)|Toolset Download| |SCP|PSCP|File Transfer| ----- **contain the attackers before the actors could achieve their intended goal.** **The CARBANAK actors not only showed the capability to successfully compromise both** **Linux and Windows systems, they chose a toolset that was either directly cross-platform or** **extremely similar in both function and command line usage. This indicates a level of** **tactical organization and operationalization not previously observed by this actor group.** **Additionally, they were significantly cognizant and aware of actions taken by the security�** **team, switching to new methods of ingress after initial compromise, detected remediation** **actions, and environmental migration. They were methodical in their choice of staging** **systems, basing the system utilized on:** **a critical function of lateral access** **or responder detection and investigation** **They chose key systems based on their needs rather than systems the organization would** **consider ʻkeyʼ assets. They ensured the toolsets they would interact with most often** **contained very similar functions and commands across environments in order to limit** **mistakes made at the keyboard. They included a method, whether manually or** **automatically, to remove any record of their activities. They operated with purpose,** **patience, planning, and most significantly, persistence.�** **This intrusion was successfully discovered, investigated, contained, eradicated, and** **remediated only due to the following reasons:** **1. The organization invested in the necessary visibility at a host and network level to** **allow analysts to rapidly and effectively hunt for and investigate these types of�** **threats.** **2. The organization had invested and empowered their personnel to creatively and** **proactively hunt for, understand, investigate, and learn from threats within their** **environment.** **3. The organization had maintained a relationship with a proven and trusted advisory** **practice and had worked to recreate and implement a solid and proven** **Threat** **Hunting and Incident Response methodology within their own organization.** **4. The organization had a solid top-down understanding of what role Threat Hunting** **and Incident Response held during daily operations and security incidents, and** **provided the necessary support and enablement to subordinate units and analysts.** **While a first look at the tools used in this engagement may appear simplistic, upon review�** **of the entire intrusion, it becomes quickly apparent that each of them was purpose-chosen** **with an overall operationalized capability in mind. CARBANAK has shown themselves to be** **a coordinated and extremely persistent group of actors that are consistently moving** **towards more agile methods of intrusion and standardization of processes across** ----- **agility to defeat or bypass organizational security controls. Even with the least advanced of** **their capabilities, they can be a difficult adversary to track within an environment due to�** **their speed, efficiency, adaptability, and care in leaving little trace of any activity. However,�** **this difficulty compounds exponentially for organizations without the necessary visibility,�** **practices, methodologies, or trusted partner relationships necessary to effectively detect�** **and respond to these types of threats. This white paper shows that with the necessary** **visibility, planning, methodology, and analyst enablement, organizations can be successful** **against these types of threats.** **[Learn more about the Carbanak/Fin7 syndicate](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.rsa.com%2Fcontent%2Fdam%2Fen%2Fwhite-paper%2Fthe-carbanak-fin7-syndicate.pdf)** **[based on unique Carbanak intrusions](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.rsa.com%2Fen-us%2Fresources%2Finside-the-response-of-a-unique-carbanak-intrusion-white-paper)** **,** **[and the mindset](https://community.rsa.com/external-link.jspa?url=https%3A%2F%2Fwww.rsa.com%2Fen-us%2Fblog%2F2017-07%2Finfosec-easy-button-myth)** **and** **[methods used to combat them in these recent RSA Research](https://community.rsa.com/community/products/netwitness/blog/2016/12/01/new-hunting-guide-investigation-model)** **publications.** **security operations and breach managem…** **netwitness logs & packets** **netwitness for endpoint** **incident_investigations** **[RSA NetWitness Logs](https://community.rsa.com/community/products/netwitness/content?filterID=contentstatus[published]~category[rsa-netwitness-logs])** **netwitness packet** **analyst report** **threat intel** **intrusion** **fin7�** **Related Content** **ESA - Intrusion Detection with Windows Event Logs** **Detecting APT Using Anomalous Windows Remote Management Methods and Dynamic RPC** **Endpoint Mapping** **Recent resurgence in Shamoon** **ANOTHER HOLIDAY LOST … WannaCry and Wanna Decryptor** **Another great threat Profile... Shell_Crew�** **Recommended Content** **incident response essentials** **[RSA NetWitness Packets](https://community.rsa.com/community/products/netwitness/content?filterID=contentstatus[published]~category[rsa-netwitness-packets])** **incident discovery** **methodology** **rsa_ir** ----- **Beat the Clock & Save $$ on Your Upgrade to RSA Archer 6.x: Maximize Your Benefits with One�** **of Two RSA Professional Services Discounts, Offer Extended Through Feb. 4, 2018�** **[System Security and User Management Guide for Version 10.6.5](https://community.rsa.com/docs/DOC-84273)** **[RSA Security Analytics System Configuration Guide�](https://community.rsa.com/docs/DOC-85190)** **[000033416 - Opening RSA Archer Records takes a long time to load](https://community.rsa.com/docs/DOC-53354)** **Products & Solutions** **RSA® Access Manager** **RSA® Adaptive** **Authentication** **RSA® Adaptive Auth. for** **eCommerce** **RSA® Adaptive Directory** **RSA Archer® Suite** **RSA BSAFE®** **RSA® Data Loss** **Prevention (DLP)** **RSA® Data Protection** **Manager (DPM)** **RSA® Digital Certificate�** **Solutions** **[© 2017 Jive Software](http://www.jivesoftware.com/poweredby/)** **[Home Top of page Help](http://docs.jivesoftware.com/cloud_ext/end_user/jive.help.core)** **RSA University** **RSA Archer® Suite** **Training** **RSA NetWitness® Suite** **Training** **RSA SecurID® Suite** **Training** **RSA enVision®** **RSA® Federated** **Identity Manager** **(FIM)** **RSA® FraudAction** **Services** **RSA® Identity** **Governance &** **Lifecycle** **RSA NetWitness®** **Endpoint** **RSA NetWitness®** **Logs & Packets** **RSA SecurID® Suite** **RSA® Web Threat** **Detection** **Support** **[My RSA](https://rsaportal.force.com/customer/home/home.jsp)** **RSA Labs** **RSA Ready** **Activity** **Feed** **About RSA** **Link** **Terms &** **Conditions** **[Submit](https://www.surveymonkey.com/r/ST8MYJP)** **Feedback** -----