Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024 Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt Contact: [email protected]
Media: twitter.com/malvuln Threat: Backdoor.Win32 Carbanak (Anunak) Vulnerability: Named Pipe
Null DACL Family: Carbanak Type: PE32 MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1 Vuln ID: MVID-2024-0667 Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin
Disclosure: 01/09/2024
Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group. Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent process and last 2 by the child process. The pipes names are randomly generated each time the it is run all except for one JFNfVUYDXmlZQV. Therefore, we can detect Carbanak by that one pipe, as the “JFNfVUYDXmlZQVI” pipe is always created regardless of other randomly named pipes. Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe. Carbanak creates a directory named “Mozilla” under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add “Sys” at the end of its name. Exploitation steps, output all named pipes and look for “JFNfVUYDXmlZQVI” if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after. Successfully tested in VM environment.