For years, backdoor malware has been around trying to steal banking and credit card information. Nowadays, they try to hit anything they can and has been targeting restaurant chains all across the US.
This new malware has been dubbed Bateleur — after a breed of eagle — by the researchers at Proofpoint who uncovered it, it’s thought to be the work of Carbanak, a group that focuses its attacks on corporate targets.
Said group has been behind a string of focused attacks that has stolen over $1 Billion from banks worldwide.
Carbanak has previously targeted hotels, retailers, suppliers and merchants services. But now, it has been trying to infiltrate chain restaurants. They are trying to achieve this by trying to get a backdoor access which would enable them to take screenshots, steal passwords, run scripts and commands, log keystrokes and a whole lot more.
There are new techniques employed here which are included with the javascript backdoor such as new macros, anti-analytics tools and sandbox evasion techniques that provides ample cloaking mechanism.
Not only do they do it with javascript, they even have an email phising campaign. Basically, it uses an Outlook or Gmail address which notifies the intended victim about a previously discussed cheque with a macro-laced word document.
Interestingly enough, the attachment claims the document is encrypted and protected by ‘Outlook Protect Service’ or ‘Google Documents Protect Service’. This will depend on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.
If the user enables the macro, the payload is delivered and runs a series of tasks to avoid being detected.
Researchers describe the Jscript as having “robust capabilities” including anti-sandbox functionality and anti-analysis obfuscation. It’s also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.
In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future — especially given the persistent nature of the attackers.
All the techniques used points to the Carbanak group. However the Bateleur JScript backdoor and its new macro-laced word document seems to be a new tool they have developed. As of the moment, it provides them a good way to hide and avoid detection. The possibilities of future development of this malware is expanding and is a continuous threat to all aspects of computer users. May it be home users or corporations, always be on the lookout for suspicious emails, attachments and activities that is happening when you use the computer.
