Dubbed Bateleur, this malware uses with macro-laden phishing emails that allow attackers to take screenshots, steal passwords, and more.
A notorious hacking group is back with a new method of distributing Trojan malware, with the aim of creating backdoors into the networks of restaurant chains across the US.
Dubbed Bateleur — after a breed of eagle — by the researchers at Proofpoint who uncovered it, it’s thought to be the work of Carbanak, a group that focuses its attacks on corporate targets.
The group has stolen over $1bn from banks worldwide and is thought to be behind a string of other attacks.
Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers. This time, however, it is attempting to infiltrate chain restaurants through a backdoor into their Windows systems, enabling the group to take screenshots, steal passwords, execute commands, and more.
In order to increase the chances of infection without being detected, the Javascript backdoor is accompanied by new macros, anti-analysis tools, and sandbox evasion techniques that help cloak its activity.
As with many cyberattacks, a phishing email is used to lure in the target. The message is sent from an Outlook address or a Gmail and claims to contain information about a previously discussed cheque in an attached Word document.
The attachment claims the document is encrypted and protected by ‘Outlook Protect Service’ or ‘Google Documents Protect Service’ depending on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.
If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks, in an attempt to avoid detection.
Researchers describe the Jscript as having “robust capabilities” including anti-sandbox functionality and anti-analysis obfuscation. It’s also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.
In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future — especially given the persistent nature of the attackers.
Proofpoint have identified Carbanak as the perpetrators of this campaign with “a high degree of certainty” due to some telltale signs.
Firstly, similar messages have been sent to the same targets, attempting to deliver messages containing GGLDR, a malicious script associated with Carbanak’s VBScript malware.
Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, and subsequently been used repeatedly by the group.
Researchers also note that the Powershell password grabber utilised by Bateleur contains a Dynamic-link library identical to the one found embedded in GGLDR samples.
“The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines,” Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.
From:http://www.zdnet.com/article/new-trojan-malware-attack-targets-restaurant-chains/
About OsMonitor:
The mission of OsMonitor is to create a Windows computer system tailored for work purposes, effectively regulating employee computer behavior. It enables employers to understand what employees are doing each day, monitoring every action, including screen activity and internet usage. Additionally, it restricts employees from engaging in specific activities such as online shopping, gaming, and the use of USB drives.
OsMonitor, designed purely as software, is remarkably user-friendly and requires no additional hardware modifications. A single management machine can oversee all employee computers. As a leading brand in employee computer monitoring software with over a decade of successful operation, OsMonitor has rapidly captured the global market with its minimal file size and excellent cost-effectiveness compared to similar software. At this moment, thousands of business computers worldwide are running OsMonitor daily.
