Dubbed Bateleur, the malware is spread via phishing emails purporting to contain information on a previously discussed check and is sent form an Outlook.com account. The malicious emails contains an attachment document claiming “This document is encrypted by Outlook Protect Service” or that “This document is encrypted by Google Documents Protect Service,” according to a July 31 blog post.
The attachment is actually a macro-laden Word document which extracts a malicious Jscript dropper. The malware saves malicious content in a .txt file and creates a scheduled task whose purpose is to execute the file.
“The malicious JScript has robust capabilities that include anti-sandbox functionality, anti-analysis (obfuscation), retrieval of infected system information, listing of running processes, execution of custom commands and PowerShell scripts, loading of EXEs and DLLs, taking screenshots, uninstalling and updating itself, and possibly the ability to exfiltrate passwords,” the report said.
Researchers said Carbanak continues to change its tactics and tools in their attempts to infect more targets and evade detection. Bateleur JScript backdoor provides the cybergang with new means of infection, hiding their activity, and growing capabilities for stealing information and executing commands directly onto their victim's machines.
While Bateleur may not seem like the most technically advanced malware, its small size and robustness make it a handy tool that can "fly under the radar", and might initially go unnoticed by signature-based anti-malware solutions, Cylance Senior Threat Researcher Marta Janus told SC Media.
“This approach seems to mirror a recent trend in malicious software development, where the first stage backdoor responsible for the C&C communication is as small and lightweight as possible, while most of the data stealing functionalities are implemented as separate second-stage modules,” Janus said. “This allows the attackers to maintain only a tiny piece of code running on the machine, serving as loader of additional in-memory payloads, which might be pushed and removed by the attackers at will.”
She added that even though the backdoor provides limited functionality, it can be used to upload and execute additional modules and run shell commands on the victim's machine.
Janus said Carbanak is one of the most sophisticated cybercrime groups of recent times and that it combines complex techniques used in targeted attacks with the effectiveness of wide-spread malware.