Carbanak Attackers Devise Clever New Persistence Trick

itman · May 5, 2017

Another Windows vulnerability exploited.

Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to more effectively pull off financially motivated crimes. The technique involves creating a bogus instance of a Microsoft Windows app compatibility feature.

On Wednesday, Mandiant, FireEye’s incident response team, posted a technical description of the technique, which it first observed earlier this year. More specifically, researchers say the Carbanak group (also known as FIN7) leverages what are called shim databases. According to Mandiant, shim databases are part of Microsoft’s Windows Application Compatibility Infrastructure.

“Mandiant identified that the group leveraged an application shim database to achieve persistence on systems in multiple environments. The shim injected a malicious in-memory patch into the Services Control Manager (‘services.exe’) process, and then spawned a Carbanak backdoor process,” wrote co-authors of the report Matthew McWhirt, Jon Erickson and DJ Palombo, each researchers with Mandiant.
Click to expand...

https://threatpost.com/carbanak-attackers-devise-clever-new-persistence-trick/125457/

itman · May 5, 2017

Mitigation recommendations per the referenced FireEye article:

Mandiant recommends the following to detect malicious application shimming in an environment:

Monitor for new shim database files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”

Monitor for registry key creation and/or modification events for the keys of “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”

Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe” utility

Click to expand...

Rasheed187 · May 6, 2017

Interesting, but I assume this is blocked when you block execution of powershell.exe? If not, then sdbinst.exe should also be added to the vulnerable apps list. And I don't think that AutoRuns is monitoring the AppCompatFlags reg-key, so they might want to add this.

itman · May 6, 2017

Rasheed187 said: ↑

Interesting, but I assume this is blocked when you block execution of powershell.exe? If not, then sdbinst.exe should also be added to the vulnerable apps list. And I don't think that AutoRuns is monitoring the AppCompatFlags reg-key, so they might want to add this.
Click to expand...

Sbinst.exe like most Win utility processes needs admin privileges. So if past malware "tricks" such as running it hidden were attempted, UAC set at max. level will trigger an alert.

Log in or Sign up

Carbanak Attackers Devise Clever New Persistence Trick

itman Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Log in or Sign up

Carbanak Attackers Devise Clever New Persistence Trick

itman Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Useful Searches