• caglararli@hotmail.com
  • 05386281520

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

Çağlar Arlı      -    7 Views

CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis

FireEye has observed the certificate most recently being served on the following IPs (Table 4):

IP

Hostname

Last Seen

104.193.252.151:443

vds2.system-host[.]net

2019-04-26T14:49:12

185.180.196.35:443

customer.clientshostname[.]com

2019-04-24T07:44:30

213.227.155.8:443

 

2019-04-24T04:33:52

94.156.133.69:443

 

2018-11-15T10:27:07

185.174.172.241:443

vds9992.hyperhost[.]name

2019-04-27T13:24:36

109.230.199.227:443

 

2019-04-27T13:24:36

Table 4: Recent Test Company certificate use

While these IPs have not been observed in any CARBANAK activity, this may be an indication of a common developer or a shared toolkit used for testing various malware. Several of these IPs have been observed hosting Cobalt Strike BEACON payloads and METERPRETER listeners. Virtual Private Server (VPS) IPs may change hands frequently and additional malicious activity hosted on these IPs, even in close time proximity, may not be associated with the same users.

I also parsed an unprotected private key from the source code dump. Figure 4 and Table 5 show the private key parameters at a glance and in detail, respectively.


Figure 4: Parsed 512-bit private key

Field

Value

bType

7

bVersion

2

aiKeyAlg

0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

Magic

RSA2

Bitlen

512

PubExp

65537

Modulus

0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

P

8B 01 8F 7D 1D A2 34 AE CA B6 22 EE 41 4A B9 2C

E0 05 FA D0 35 B2 BF 9C E6 7C 6E 65 AC AE 17 EA

Q

81 69 AB 3D D7 01 55 7A F8 EE 3C A2 78 A5 1E B1

9A 3B 83 EC 2F F1 F7 13 D8 1A B3 DE DF 24 A1 DE

Dp

B5 C7 AE 0F 46 E9 02 FB 4E A2 A5 36 7F 2E ED A4

9E 2B 0E 57 F3 DB 11 66 13 5E 01 94 13 34 10 CB

Dq

81 AC 0D 20 14 E9 5C BF 4B 08 54 D3 74 C4 57 EA

C3 9D 66 C9 2E 0A 19 EA C1 A3 78 30 44 52 B2 9F

Iq

C2 D2 55 32 5E 7D 66 4C 8B 7F 02 82 0B 35 45 18

24 76 09 2B 56 71 C6 63 C4 C5 87 AD ED 51 DA 2ª

D

01 6A F3 FA 6A F7 34 83 75 C6 94 EB 77 F1 C7 BB

7C 68 28 70 4D FB 6A 67 03 AE E2 D8 8B E9 E8 E0

2A 0F FB 39 13 BD 1B 46 6A D9 98 EA A6 3E 63 A8

2F A3 BD B3 E5 D6 85 98 4D 1C 06 2A AD 76 07 49

Table 5: Private key parameters

I found a value named PUBLIC_KEY defined in a configuration header, with comments indicating it was for debugging purposes. The parsed values are shown in Table 6.

Field

Value

bType

6

bVersion

2

aiKeyAlg

0xA400 (CALG_RSA_KEYX) – RSA public key exchange algorithm

Magic

RSA1

Bitlen

512

PubExp

65537

Modulus

0B CA 8A 13 FD 91 E4 72 80 F9 5F EE 38 BC 2E ED

20 5D 54 03 02 AE D6 90 4B 6A 6F AE 7E 06 3E 8C

EA A8 15 46 9F 3E 14 20 86 43 6F 87 BF AE 47 C8

57 F5 1F D0 B7 27 42 0E D1 51 37 65 16 E4 93 CB

Table 6: Key parameters for PUBLIC_KEY defined in configuration header

Network Based Indicators

The source code and binaries contained multiple Network-Based Indicators (NBIs) having significant overlap with CARBANAK backdoor activity and FIN7 operations previously observed and documented by FireEye. Table 7 shows these indicators along with the associated FireEye public documentation. This includes the status of each NBI as it was encountered (active in source code, commented out, or compiled into a binary). Domain names are de-fanged to prevent accidental resolution or interaction by browsers, chat clients, etc.

NBI

Status

Threat Group Association

comixed[.]org

Commented out

Earlier CARBANAK activity

194.146.180[.]40

Commented out

Earlier CARBANAK activity

aaaabbbbccccc[.]org

Active

 

stats10-google[.]com

Commented out

FIN7

192.168.0[.]100:700

Active

 

80.84.49[.]50:443

Commented out

 

52.11.125[.]44:443

Commented out

 

85.25.84[.]223

Commented out

 

qwqreererwere[.]com

Active

 

akamai-technologies[.]org

Commented out

Earlier CARBANAK activity

192.168.0[.]100:700

Active

 

37.1.212[.]100:700

Commented out

 

188.138.98[.]105:710

Commented out

Earlier CARBANAK activity

hhklhlkhkjhjkjk[.]org

Compiled

 

192.168.0[.]100:700

Compiled

 

aaa.stage.4463714.news.meteonovosti[.]info

Compiled

DNS infrastructure overlap with later FIN7 associated POWERSOURCE activity

193.203.48[.]23:800

Active

Earlier CARBANAK activity

Table 7: NBIs and prevously observed activity

Four of these TCP endpoints (80.84.49[.]50:443, 52.11.125[.]44:443, 85.25.84[.]223, and 37.1.212[.]100:700) were new to me, although some have been documented elsewhere.

Conclusion

Our analysis of this source code dump confirmed it was CARBANAK and turned up a few new and interesting data points. We were able to notify vendors about disclosures that specifically targeted their security suites. The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match, and as they say, if the shoe fits, wear it. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware. The authors mainly refer to the malware as “bot” in the Visual Studio project, filenames, source code comments, output binaries, user interfaces, and manuals.

The breadth and depth of this analysis was a departure from the usual requests we receive on the FLARE team. The journey included learning some Russian, searching through a hundred thousand of lines of code for new information, and analyzing a few dozen binaries. In the end, I’m thankful I had the opportunity to take this request.

In the next post, Tom Bennett takes the reins to provide a retrospective on his and Barry Vengerik’s previous analysis in light of the source code. Part Four of CARBANAK Week is available as well.