Similarities between the Darkhotel and Carbanak attack data sets has been detected whilst defining the malicious language of DNS traffic.
According to research by OpenDNS and Fox-IT, the “update-java[.]net” domain was used for command-and-control in both the Anunak and Carbanak attack campaigns. OpenDNS Security Labs builds predictive models by mining its DNS data infrastructure for data about attacks to uncover patterns within, in order to track adversarial groups and block domains related to their activities.
Jeremiah O’Connor, natural language processing expert at OpenDNS, said: “Looking at the data related to these attacks, we found that the domains in this particular Carbanak data set exhibited similar patterns to domains associated with Dark Hotel and other APT data sets.
“When comparing the Anunak attack domains to the Darkhotel data set and other APT domains, we observed that they were constructed in a similar lexical fashion.”
Both the Carbanak and Darkhotel campaigns were detected by Kaspersky Lab. In the Carbanak campaign, spotted in February, a criminal gang attacked up to 100 banks, e-payment systems and other financial institutions in around 30 countries and stealing up to $10 million in each raid. In the Darkhotel case, it focused on a hotel’s WiFi network, where the attacker tricked a mark, usually a C-level executive, into downloading a backdoor masquerading as legitimate software, infecting the device with the “Darkhotel” spying software.
In an email sent to IT Security Guru, Kaspersky Lab dismissed any link between the two groups, saying it “didn’t discover anything that led us to believe that the same groups were behind the two campaigns”. OpenDNS also confirmed this, saying that there was no suggestion that the same group was responsible for the two APT campaigns.
However O’Connor told IT Security Guru that the update-java[.]net domain was used for command-and-control in both the Anunak and Carbanak attack campaigns. “The attackers were using the domain to disguise their command-and-control traffic, but not as a malware delivery mechanism,” he said.
“When conducting our investigations with OpenDNS Investigate, we found that there are multiple examples of suspicious looking domains advertising “java updates”.”