Proofproint researchers recently came across a new JScript backdoor called Bateleur, which is being distributed by the FIN7 (a.k.a Carbanak) hacker group in phishing emails targeting U.S.-based restaurant chains.
In an example provided by the researchers, the threat is distributed in an email sent from an Outlook.com or Gmail account, with the message, “here is the check as discussed.” Attached to the email is a Word document containing a macro.
When executed, the macro creates a scheduled task to run Bateleur, then sleeps for three seconds, then executes Bateleur, then sleeps for 10 seconds, then deletes the scheduled task.
“The combined effect of these commands is to run Bateleur on the infected system in a roundabout manner in an attempt to evade detection,” the researchers note.
The malicious JScript itself includes anti-sandbox and anti-analysis functionality. It’s capable of retrieving system information, listing running processes, executing custom commands and PowerShell scripts, loading EXEs and DLLs, taking screenshots, uninstalling and updating itself, and possibly stealing passwords.
“We continue to see regular changes to the tactics and tools used by FIN7 in their attempt to infect more targets and evade detection,” the researchers state. “The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group’s expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines.”
Still, Simon Taylor, vice president of products at Glasswall, said it’s worth noting that while the malware itself is relatively sophisticated, it’s delivered via a straightforward phishing email. “Phishing is a tried and true method for attackers — largely because it is predictably and repeatedly successful,” he said.
“Historically, the security industry has attempted to change employee behavior,” Taylor added. “But while education helps, cyber criminals are continuously adjusting their techniques and the authenticity of their messages in order to stay several steps ahead of their victims.”
“Humans are and always will be the weakest link in an organization, and going forward, defense and detection strategies must change to address these inevitable challenges,” Taylor said.
In Mimecast’s latest quarterly Email Security Risk Assessment, among 45 million emails inspected, fully 31 percent were deemend unsafe, including more than 10.8 million spam emails, 8,682 dangerous file types, 1,778 known and 503 unknown malware attachments, and 9,677 impersonation emails.
A separate Mimecast survey of 800 IT decision makers and C-level executive found that only 30 percent of respondents have adopted a complete cyber resilience strategy, and less than 20 percent feel completely confident in their ability to spot and defend against cyber attacks.
“Cyber resilience is not just an IT issue, it’s a business issue,” Mimecast CTO Neil Murray said in a statement. “An organization must take a layered approach to build an effective cyber resilience plan to protect business data against email-borne threats.”
Imperva recently published a report entitled “Beyond Takeover — Stories from a Hacked Account” [PDF], based on analysis of almost 90 personal accounts intentionally revealed to phishers. Among other findings, the research found that more than 50 percent of accounts were accessed 24 hours or more after credential takeover, demonstrating that a quick password change following account compromise can prevent account takeover.
“This lesson proves the value of incorporating threat intelligence and breach detection solutions that quickly detect and help mitigate this risk,” Imperva head of data research Itsik Mantin said in a statement.