Following the leak of an enhanced Buhtrap malware source code, Minerva’s research team released a summary of its highlights, sharing their insights about this threat and the aftermath of the leak.
On July 7th a user named FR3D (who also operates an active Twitter account) posted on a forum mal4all a link for the source of what he claimed to be Carbanak’s tools source code.
The original post in mal4all[.]com
If the name Carbanak rings a bell it is because this is one of the most prolific cybercrime groups, as a report by Group-IB claimed their illicit profits exceeded one billion dollars.
In this blog post we wish to share our initial analysis and impressions from the leak with the malware research community and blue teamers. Note that this is a work in progress and we might add further details over time.
Is It Carbanak?
First and foremost, when a security researcher approaches a data leak he wishes to verify what exactly he or she has in their possession. In this case the original forum post claimed it is the tool used by the Carbanak group, however, some of the facts simply didn’t add up.
The first hint that this is not Carbanak, was a code signing certificate appearing in the leak. The same certificate was used in an attack on Russian bank employees a couple of years ago, but surprisingly, the malware used in this campaign was Buhtrap (AKA Ratopak), not Carbanak.
The (now revoked) certificate of one of the binaries in the leak, same as the one used by Buhtrap
Later, further links between Buhtrap and the leaked source were found:
At least some parts of the source code leak fit to Buhtrap/Ratopak (f4ae5579930f20ccc41d1f8b1e417e87) code as described here: https://t.co/zkcv05OaEC #carbanak #buhtrap #ratopak pic.twitter.com/rqQrzIxFJF
— Daniel Plohmann (@push_pnx) July 11, 2018
Cross-referencing our data with other fellow researchers and their valuable intelligence confirmed the fact that this is not Carbanak, rather, it is a tool with similar purpose branched from Ratopak/Buhtrap.
— Anton Cherepanov (@cherepanov74) July 11, 2018
7-11-2018: Confirmed Links b/w ‘#Pegasus‘ & ‘#Buhtrap‘ Leaked Code & Groups:
1⃣ Exact Code Overlap:
buhtrap/11. DLL Side-Loading+panel/…/libs/ -> pegasus/inc/
2⃣ C2: mp3.ucrazy[.org/music/
3⃣ Target Bank: Russian “Metallinvestbank” <-> Buhtrap Reported Breach pic.twitter.com/iecdfEGDPf
— Vitali Kremez (@VK_Intel) July 11, 2018
The original leak is a password protected archive named group_ib_smart_boys, possibly because they repeatedly uncovered attacks on Russian banks for over a decade.
Within the archive there were various types of files, ranging from raw assembly and C/C++ source code to internal documentation of the tool and instructions.
Distribution of the leaked files by filetype
The leak files are well organized, broken into four different folders.
The first is bck_check – containing only a single file for parsing logs, absent in the leaked folder.
Next, was one named cvs_check, containing a wide range of intelligence supporting attacks on banks:
- Detailed information about bank employees, including email addresses, phone numbers and their positions.
- Active directory dumps, implying intimate knowledge of the banks’ internal systems from previous breaches.
- “Counter-intelligence”, a guide for evading anti-fraud security products:
ANTIFRAUD.txt, containing tips for evading detection
The third folder, named gen_payments_script, was also lacking some files and contained only a PHP script for generating credible fake payment metadata, e.g. – it calculates a fake 18% sales tax and adds it to the total sum.
Last but not least is the fourth folder named Pegasus, after the name of the group’s tool (internally nicknamed Pegas, Russian: Пегас). This folder is the core of the leak, containing the Trojan source code and critical binaries for its operation. Some of the highlights of what we found in this folder is:
- The Trojan’s installation routine, abuses the MapViewOfSection API using process hollowing to inject to an instance of svchost.exe. Intrestingly the attacker’s split the string holding the path of svchost to evade a specific anti-virus product that would have triggered its emulator only if the entire string is held in single variable.
Splitting the path to svchost.exe to avoid detection by anti-virus software
- Targetting Russian accounting software (similarly to a Buhtrap camapign from 2014), seeking ifexe is running and injecting a shellcode into it:
Note that in this case the attackers used a different code injection techinuqe, relying on WriteProcessMemory:
Mimikatz, as incorporated in Pegasus
- A module for spreading in the victim’s network using multiple techniques:
It is clear that the criminals behind Pegasus were organized and understood how they can propagate within their targets.
- Using old vulnerabilities from 2015 (CVE-2015-0057 and CVE-2015-1701) for privilege escalation. Note their “to dos” list, for avoiding machines already patched against their exploits:
A detailed list of the modules in the Pegasus project is available in @Malwageddon’s blog which translated the index of the folder from Russian:
What will happen now?
This is not the first-time malware source code leaks, we’ve already seen it with Carberp, Zeus, Hacking Team and even NSA’s exploits. Similarly, we can carefully assess that just like in previous cases, the code will be re- used by less skilled threat actors.
Moreover, the intelligence collected about bank employees and bypassing anti-fraud products is now public. While this data clearly can’t be incorporated in a malware, it can be re-used by others , deploying targeted evasive attacks.
On the bright side, the wide exposure of the source code and text files containing the group’s methodology will allow security products to improve – as it allows vendors a unique glimpse into the criminal modus operandi and state-of-mind.
Also, unlike previous cases, there are no new exploits released in this leak – an issue which was highly problematic in the past.
Are You Protected?
Threat actors such as Pegasus, Buhtrap and Carbanak target banks and financial institutions. Since the source code to Buhtrap is now available, other groups are likely to use it for creating their own malware variants, which they might use to pursue victims in other industries. If you feel you are in danger or believe you fell victim to any of the above threats feel free to contact us.
Minerva’s customers are protected against these threats by the various modules that comprise our Anti-Evasion Platform.
Sharing is Caring
We would like to share our thanks to all the users taking part in analyzing the leaked source code, including users of the Malware Research Group Slack Channel and especially to @VKremez, @Malwageddon and @push_pnx alongside others who wish to remain anonymous which actively share their intelligence and insights with us, assisting us to provide the above data to the public.