Carbanak has previously targeted hospitality organisations including retailers, merchant services, and suppliers. This time, however, it is attempting to infiltrate chain restaurants through a backdoor into their Windows systems, enabling the group to take screenshots, steal passwords, execute commands, and more.
The attachment claims the document is encrypted and protected by 'Outlook Protect Service' or 'Google Documents Protect Service' depending on the email address sending the message. In both cases, names of authentic antivirus companies appear on the JScript document dropper in order to lure the victim into a false sense of security.
If the user is tricked into enabling editing of the document, the document accesses the malicious payload with a series of scheduled tasks, in an attempt to avoid detection.
Researchers describe the Jscript as having "robust capabilities" including anti-sandbox functionality and anti-analysis obfuscation. It's also capable of retrieving infected system information, listing running processes, execution of custom commands and PowerShell Scripts, uninstalling and updating itself, and taking screenshots.
In theory, Bateleur can also exfiltrate passwords, although this particular instruction requires an additional module from the command-and-control server in order to work. Currently, the malware lacks some of the features required to do this, and does not have backup servers, but researchers expect these to be added in the near future -- especially given the persistent nature of the attackers.
Proofpoint have identified Carbanak as the perpetrators of this campaign with "a high degree of certainty" due to some telltale signs.
Secondly, a Meterpreter in-memory DLL injection downloader script called TinyMet has been spotted being downloaded by Bateleur, and subsequently been used repeatedly by the group.
Researchers also note that the Powershell password grabber utilised by Bateleur contains a Dynamic-link library identical to the one found embedded in GGLDR samples.
"The Bateleur JScript backdoor and new macro-laden documents appear to be the latest in the group's expanding toolset, providing new means of infection, additional ways of hiding their activity, and growing capabilities for stealing information and executing commands directly on victim machines," Proofpoint researchers Matthew Mesa and Darien Huss said in a blog post.