A look under the hood of FIN7’s notorious Carbanak backdoor – the result of nearly 500 total hours of analysis across 100,000 lines of code and dozens of binaries – shows that the malware is highly sophisticated – more sophisticated than expected. It’s a Cadillac in a sea of golf carts, if you will.
That’s according to analysis from FireEye researchers, who said that notably, the malware (which has been used in hundreds if not thousands of successful, financially motivated cyberattacks in the past four years) has an entirely different approach to command-and-control (C2) communication than what’s typically seen in the wild.
Not Exactly New
To be clear: The fact that the source code was found is not new. FireEye previously talked about its source-code findings back in October 2018 (a detailed PDF was also made available) – but its analysis this week elaborates on the researchers’ discoveries.
“We first reverse-engineered several Carbanak binaries around three years ago,” James T. Bennett, staff reverse engineer at FireEye, told Threatpost. “At that time, we did not have the source code and were writing a detailed report for a client. We discovered the source code and supporting toolset on VirusTotal about a year later, around two years ago. We analyzed everything in those archives in order to enhance and expand our existing reporting and intelligence.”
It’s unclear whether the source code went unnoticed by the larger security community for the duration of those two years — Threatpost has reached out to other firms to determine if anyone else took notice.
But as Terence Jackson, chief information security officer at Thycotic, pointed out, it’s possible that it simply slipped through the cracks.
“It does seem odd that the Carbanak source code would not be noticed for two years,” he told Threatpost. However, millions of files are uploaded to VirusTotal every week for analysis. In my experience, there would need to be a certain level of skill to identify Cabanak, which the FireEye researcher possessed.”
Carbanak Surprise
Chief among the initial reverse-engineering revelations, released Monday as the first of a four-part series on the code – is the fact that Carbanak employs a sophisticated, complex command-handling function for getting orders from its C2.
A garden-variety backdoor will receive and evaluate a command ID from the C2 server and respond with the right function needed to carry out the command – at its heart, a basic call-and-response approach.
“For example, a backdoor might ask its C2 server for a command and receive a response bearing the command ID 0x67,” wrote FireEye researcher Michael Bailey, in a blog post released on Monday. “The dispatch function in the backdoor will check the command ID against several different values, including 0x67, which as an example might call a function to shovel a reverse shell to the C2 server… Each block of code checks against a command ID and either passes control to the appropriate command handling code, or moves on to check for the next command ID.”
Carbanak however “is an entirely different beast,” he said.
To wit: “It uses a Windows mechanism called named “pipes” as a means of communication and coordination across all the threads, processes and plugins under the backdoor’s control,” Bailey explained.
Quite a Set of Pipes
In other words, when Carbanak receives a command, it forwards the command over a designated “pipe.” The pipe contains several different functions that process the command, possibly writing it to one or more additional named pipes, until it arrives at its destination where the specified command is finally handled.
“Command handlers may even specify their own named pipe to request more data from the C2 server,” Bailey explained. “When the C2 server returns the data, Carbanak writes the result to this auxiliary named pipe and a callback function is triggered to handle the response data asynchronously.”
Needless to say, this is a much more nuanced and flexible way of handling C2 communications. And interestingly, it also allows for the possibility of sending commands to the malware using a local client, without the use of a network.
The pipes architecture made analysis difficult – more so than dealing with binaries. This is a radical departure from what was expected: A malware’s source code is usually considered a fast-track way to analyze malware.
For Carbanak, “[analysis] required maintaining tabs for many different views into the disassembly, and a sort of textual map of command IDs and named pipe names to describe the journey of an inbound command through the various pipes and functions before arriving at its destination,” explained Bennett.
Bailey expanded on this: “Depending on the C2 protocol used and the command being processed, control flow may take divergent paths through different functions only to converge again later and accomplish the same command. Analysis required bouncing around between almost 20 functions in five files, often backtracking to recover information about function pointers and parameters that were passed in from as many as 18 layers back.”
Bottom line, the malware was designed with such an elaborate tasking mechanism in a bid for obfuscation – demonstrating significant coding ability on the part of its authors. That also holds true for the way the Windows API resolution function happens: The malware uses a simple string hash known as PJW to locate Windows API functions without disclosing their names. The analysts found this being used literally hundreds of times, the team said.
“The Carbanak source code is illustrative of how these malware authors addressed some of the practical concerns of obfuscation,” the researchers said in the post. “Both the tasking code and the Windows API resolution system represent significant investments in throwing malware analysts off the scent of this backdoor.”
The Carbanak custom backdoor is associated with the FIN7 organized crime syndicate, an Eastern European group that has focused on point-of-sale targets at restaurants, casinos and hotels since at least 2015. The group typically uses malware-laced phishing attacks against victims in hopes they will be able to infiltrate systems to steal bank-card data and sell it.
The backdoor is also affiliated with the related, eponymous group the Carbanak Gang (a.k.a. Cobalt), which is known for targeting internal banking infrastructure and ATMs. Europol has said that overall, the criminal operation has struck banks in more than 40 countries, resulting in cumulative losses of over EUR 1 billion for the financial industry. Its leader was nabbed in March 2018.
Also last year, FIN7’s leadership was arrested in Europe and accused of hacking more than 120 U.S.-based companies with the intent of stealing bank cards. In total, U.S. Department of Justice authorities said FIN7 is responsible for the loss of tens of millions of dollars.
Despite the arrests, other members of the group have soldiered on, continuing to harass victims with fresh malware development. Both FIN7 and the Carbanak Gang are known for their agility and innovation, developing unique attack techniques and cycling through them before adequate defenses could be mounted. The source code’s revelation of the complex C2 communication brings this into high relief — and FireEye said that it hopes its source-code analysis can finally give the defense community a leg up. That’s a sentiment echoed by others.
“This find can provide significant insight into the tactics, techniques and procedures of FIN7 and that could provide valuable IOC’s to the threat intelligence community,” Thycotic’s Jackson said.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.