Financial Sector as a Main Target: Analyzing Anunak and Chthonic Malicious Campaigns

March 20, 2012 was a good day for cybersecurity. It was the day that the Russian police had managed to arrest the criminals behind “Carberp”, a Trojan used to compromise numerous bank accounts. Less than two years later, the minds behind this operation can add to their list of accomplishments: a major operation targeting financial institutions was successfully executed. The core malware that was used in this attack was dubbed “Anunak”: a Trojan that according to current research has been used only for targeted attacks. Unsurprisingly, within the Trojan code, parts of “Carberp” codes were found.

The attackers were able to penetrate internal networks using two major vectors: the first by leveraging existing botnets (including both botnets that were created by the group and those owned by collaborators) and the second by sending malicious spear-phishing emails. The spear-phishing emails contained an infected attachment exploiting CVE-2012-2539 and CVE-2012-0158, both of which are familiar vulnerabilities. For the process of privileged escalation, the attackers used CVE-2014-4113, a vulnerability that had recently been exploited in the wild.

This first attack of this campaign was initiated at the beginning of 2013 against a Russian bank. After using the method mention above to infect an employee computer, the attackers had spread to various servers (using privilege escalation) and eventually gained access to the Holy Grail: the banking system servers and workstations. Once the attackers managed to gain a foothold in internal banking system, malicious software was installed and remotely controlled.

The exposure of this operation comes shortly after a different campaign targeting the same sector: On December 18, Kaspersky Labs published details of a new malware threat called Torjan-Banker.Win32.Chtonic. This malware is described as an evolvement of the infamous Zeus Trojan, and as Zeus did, has been targeting the financial sector – specifically, online banking systems and customers. The spread of this malware is quite wide; Chthonic was found in over 20 payments systems and over 150 different banks in 15 countries, mainly in UK, US, Spain, Japan, Russia and Italy.

This widespread attack was carried out by the rather pervasive infection technique: a backdoor for a malicious code was embedded within a .DOC file which was sent as an email attachment or as web link. This malicious file exploits a familiar vulnerability in Microsoft Office products: CVE-2014-1761. This exploitation then initiates a series of actions in which a malicious code is being injected into the process msiexec.exe and several modules are being installed on the victim’s machine.

As is often the case in targeted attacks, the enabler of the attack in both of these cases was exploitation. The term exploitation is used quite frequently; it refers to the exact moment that a vulnerability is being leveraged to enable malicious code execution. That moment is also the basis with which Palo Alto Networks Traps was developed. Traps is our Advanced Endpoint Protection solution which proactively prevents vulnerability exploitation without prior knowledge. It is agnostic to whether the threat is familiar or new (Zero Day).

Why does Traps matter to this discussion? In these specific attack cases, all of the mentioned vulnerabilities that were used for exploitation (CVE-2012-2539, CVE-2012-0158, CVE-2014-4113 and CVE-2014-1761) would have been successfully prevented with Traps deployed.

Learn more about Advanced Endpoint Protection and Traps here.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42