Authored by malvuln | Site malvuln.com

Backdoor.Win32 Carbanak (Anunak) malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024
Original source: https://malvuln.com/advisory/b8e1e5b832e5947f41fd6ae6ef6d09a1.txt
Contact: [email protected]
Media: twitter.com/malvuln

Threat: Backdoor.Win32 Carbanak (Anunak)
Vulnerability: Named Pipe Null DACL
Family: Carbanak
Type: PE32
MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1
Vuln ID: MVID-2024-0667
Dropped files: AlhEXlUJ.exe, AlhEXlUJbVpfX1EMVw.bin
Disclosure: 01/09/2024

Description: Carbanak malware creates 8 named pipes used for C2 and interprocess communications and grants RW access to the Everyone user group.
Low privileged users can modify the pipes DACLs, removing rights for Everyone denying access to all users. First 6 pipes are created by its parent process
and last 2 by the child process. The pipes names are randomly generated each time it is run all except for one JFNfVUYDXmlZQV.

Therefore, we can detect Carbanak by that one pipe, as the "JFNfVUYDXmlZQVI" pipe is always created regardless of other randomly named pipes.
Listing Carbanaks named pipes they get grouped as they are created at same time with 2 of them listed prior to the JFNfVUYDXmlZQVI pipe.

Carbanak creates a directory named "Mozilla" under ProgramData with hidden files, one of which is AlhEXlUJ.exe used by the service it creates
which runs as SYSTEM. The malwares service names created seem to use an already existing service name and add "Sys" at the end of its name.

Exploitation steps, output all named pipes and look for "JFNfVUYDXmlZQVI" if detected, exploit the DACL on 2 previously listed pipes and 5 pipes listed after.

Successfully tested in VM environment.

Carbanak IPC Named Pipes:

.PipecltjLnYRKKjUESTvgGdmERTb
RW Everyone
.PipetGYNSgZvVXwumEhdcF
RW Everyone
.PipeJFNfVUYDXmlZQVI <===== ALWAYS CREATED
RW Everyone
.PipePoUXbOHFRuUZAufnlpMZoqdtIfOX
RW Everyone
.PipeoBcVHguxbnjGbSgkJptifqvNFgD
RW Everyone
.PipeiDToHxpSCbEIEHPBeQ
RW Everyone
.PipeYutsGUYwwUusszByeuXUQK
RW Everyone
.PipeUfnQmAUTVtEkYvMoUWAZekAuWZHe
RW Everyone

Exploit/PoC:
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"

/*
Carbanak: 48d208b87b29d50bb160f336c94b681e232b0f90e8c02175e593d60737369c13
DACL IPC named pipes created and grants RW access for Everyone.
We can identify Carbanak as out of the eight pipes it creates with random names the pipe
named JFNfVUYDXmlZQVI is always created. Pipes are typically grouped as they are created
at same time and typically 2 are previous to pipe JFNfVUYDXmlZQVI and others are created after
Output named pipes find JFNfVUYDXmlZQVI and exploit DACL on 2 previous and 5 after.
Successfully tested in VM environment.
By Malvuln
**/

/** DISCLAIMER:
Author is NOT responsible for any damages whatsoever by using this software or improper malware
handling. By using this code you assume and accept all risk implied or otherwise.
**/

#define CARBANAK_PIPE "JFNfVUYDXmlZQVI"
#define MAX_TOKENS 1024
#define DELIMITER "n"

int str2Array(char*** argv, char *str);
int Exploit(char *carbanak_pipe);

int str2Array(char*** argv, char *str){
char* buffer;
int argc;
buffer = (char *) malloc(strlen(str) * sizeof(char));
strcpy(buffer, str);
(*argv) = (char**) malloc(MAX_TOKENS * sizeof(char**));
argc = 0;
(*argv)[argc++] = strtok(buffer, DELIMITER);
while ((((*argv)[argc] = strtok(NULL, DELIMITER)) != NULL) &&
(argc < MAX_TOKENS)) ++argc;
return argc;
}

int main(void){

system("dir /b \.pipe\ > tmp.sys");

int ch;
char tmp[1];
FILE *fp = fopen("tmp.sys", "r");
fseek(fp, 0, SEEK_END);
int bytes = ftell(fp) + 256;
rewind(fp);
char x[bytes];
while((ch = fgetc(fp)) != EOF){
if(feof(fp)){
break;
}
sprintf(tmp, "%c", ch);
strcat(x, tmp);
}
fclose(fp);

char **A;
int i, result = str2Array(&A, x);
int delay = 300;
int rc;
BOOL infected=FALSE;

for(i=0;i<result;i++){

if(strcmp(A[i], CARBANAK_PIPE)==0){
printf("[+] Carbanak (Anunak) malware IPC exploitn");
printf("[!] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1n");
printf("[!] Named Pipe %s%sn", CARBANAK_PIPE, " detected!");
printf("[+] Attack started...nn");

infected = TRUE;

Exploit(A[i]);
Sleep(delay);

Exploit(A[i-2]);
Sleep(delay);

Exploit(A[i-1]);
Sleep(delay);

Exploit(A[i+1]);
Sleep(delay);

Exploit(A[i+2]);
Sleep(delay);

Exploit(A[i+3]);
Sleep(delay);

Exploit(A[i+4]);
Sleep(delay);

rc = Exploit(A[i+5]);
}
}
if(!infected){
printf("[+] Carbanak (Anunak) malware IPC Exploit n");
printf("[+] MD5: b8e1e5b832e5947f41fd6ae6ef6d09a1n");
printf("[!] Named Pipe %s%s", CARBANAK_PIPE, " not found on the system.n");
printf("[!] Aborting...");
}
if(rc==0){
printf("n[!] Done!");
}
printf("n[+] By Malvuln circa 2024nn");
system("pause");

return 0;
}


int Exploit(char *malpipe){

char MALPIPE_PREFIX[269] = "\.pipe";
strcat(MALPIPE_PREFIX, malpipe);
HANDLE hPipe = CreateFileA((LPCSTR)MALPIPE_PREFIX, GENERIC_WRITE | WRITE_DAC, 0, NULL, OPEN_EXISTING, 0, NULL);

PACL pOldDACL = NULL;
PACL pNewDACL = NULL;

if (hPipe == INVALID_HANDLE_VALUE){
int rc = GetLastError();
if(rc==5){
printf("[!] Access Denied for pipe: %sn", malpipe);
}
return 1;
}

if(GetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) != ERROR_SUCCESS){
printf("[!] Error: %d", GetLastError());
return 1;
}

TRUSTEE trustee[1];
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
trustee[0].ptstrName = TEXT("Everyone");
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee[0].pMultipleTrustee = NULL;

EXPLICIT_ACCESS explicit_access_list[1];
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));

explicit_access_list[0].grfAccessMode = DENY_ACCESS;
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
explicit_access_list[0].grfInheritance = NO_INHERITANCE;
explicit_access_list[0].Trustee = trustee[0];

if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){
printf("[!] Error: %d", GetLastError());
return 1;
}

if(SetSecurityInfo(hPipe, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){
printf("[!] Error: %d", GetLastError());
return 1;
}else{
printf("[+] Modifying IPC Pipe DACL ==> %sn", MALPIPE_PREFIX);
}

LocalFree(pNewDACL);
LocalFree(pOldDACL);
CloseHandle(hPipe);

return 0;
}

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).