Contributor: Mark Anthony Balanza
As a successful business sector, the automobile industry is an attractive target for cybercrime. The automobile industry is composed of a multitude of businesses ranging from manufacturers and sellers to garages offering maintenance and repair. Earlier this month, we observed a spam campaign that targeted several small to medium sized companies within the automobile industry in Europe with Infostealer.Retgate (also known as Carbon Grabber).
The Carbon Grabber crimeware kit first appeared on underground forums earlier this year. Crimeware kits are not new and since the Zeus (Trojan.Zbot) malware’s notoriety, have grown in popularity among novices to gain entry into the cybercrime world.
Figure 1.Forum advert for Carbon Grabber
Symantec first observed the Carbon Grabber campaign on August 3 and over the first two days we identified most of the victims as being rental, insurance, commercial transport, and secondary market businesses for commercial and agricultural vehicles. A small number of other business sectors have also been reported as being victims of this crimeware campaign.
Figure 2. Sectors and countries affected by Carbon Grabber campaign
Targeted businesses are sent a malicious email claiming to be from a German company called Technik Automobile GMBH, which does not appear to exist. The email offers to purchase used and pre-owned cars from the company and refers to a list of urgently required vehicles that is attached to the email. The attachment, TechnikAutomobileGMBH.pdf.zip, is malicious and once executed installs the Carbon Grabber (Infostealer.Retgate) malware.
Figure 3. Email with malicious attachment used in this Carbon Grabber campaign
The malicious file will decrypt another executable from its body and inject code into Microsoft Outlook, Internet Explorer, Google Chrome, and Mozilla Firefox processes on the compromised computer. The malware hooks the browser APIs, allowing it to steal information before it is encrypted and sent out to the network. Stolen information may include the user name and password for Outlook and information entered by the user when using a website to log into services such as online banking or internal Web applications for example. The stolen information is then sent to the command-and-control server.
Figure 4. How the Carbon Grabber malware functions
Interestingly, the malicious emails have mostly been sent to the customer service departments of the targeted companies. Customer service departments are often granted a great deal of access within a company as they are required to perform a multitude of administrative and financial tasks on a daily basis.
The Carbon Grabber crimeware kit is known to be used in the wild and by more than one group. It is yet to be confirmed if the criminals behind the Technik Automobile spam campaign are purely financially motivated. One thing we know for sure is that if the attack is successful, the cybercriminals will have a foothold in the victim’s business. They would have the capability to send emails from the compromised Outlook account and to monitor for credentials entered into browsers. Symantec is continuing to monitor this crimeware as further activity may follow.
Symantec has the following detections in place to protect against this threat:
System Infected: Infostealer.Retgate Activity
Symantec recommends users to keep their security solutions up-to-date and to exercise caution when opening attachments found in unsolicited emails. Symantec customers that use the Symantec.Cloud service are protected from spam messages used to deliver malware. For the best possible protection, Symantec customers should also ensure they use the latest Symantec technologies incorporated into our consumer and enterprise solutions.