Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

European automobile businesses fall prey to Carbon Grabber

Cybercriminals target automotive companies in the UK, the Netherlands, Germany, and Italy with Infostealer.Retgate.
Created: 22 Aug 2014 10:17:15 GMT • Updated: 26 Aug 2014 10:16:03 GMT
Lionel Payet's picture
+2 2 Votes
Login to vote

automobile-sector-concept.png

Contributor: Mark Anthony Balanza

As a successful business sector, the automobile industry is an attractive target for cybercrime. The automobile industry is composed of a multitude of businesses ranging from manufacturers and sellers to garages offering maintenance and repair. Earlier this month, we observed a spam campaign that targeted several small to medium sized companies within the automobile industry in Europe with Infostealer.Retgate (also known as Carbon Grabber).

The Carbon Grabber crimeware kit first appeared on underground forums earlier this year. Crimeware kits are not new and since the Zeus (Trojan.Zbot) malware’s notoriety, have grown in popularity among novices to gain entry into the cybercrime world.

Fig1_16.png

Figure 1.Forum advert for Carbon Grabber

Symantec first observed the Carbon Grabber campaign on August 3 and over the first two days we identified most of the victims as being rental, insurance, commercial transport, and secondary market businesses for commercial and agricultural vehicles. A small number of other business sectors have also been reported as being victims of this crimeware campaign.

Fig2_11.png

Figure 2. Sectors and countries affected by Carbon Grabber campaign

Targeted businesses are sent a malicious email claiming to be from a German company called Technik Automobile GMBH, which does not appear to exist. The email offers to purchase used and pre-owned cars from the company and refers to a list of urgently required vehicles that is attached to the email. The attachment, TechnikAutomobileGMBH.pdf.zip, is malicious and once executed installs the Carbon Grabber (Infostealer.Retgate) malware.

Fig3_8.png

Figure 3. Email with malicious attachment used in this Carbon Grabber campaign

The malicious file will decrypt another executable from its body and inject code into Microsoft Outlook, Internet Explorer, Google Chrome, and Mozilla Firefox processes on the compromised computer. The malware hooks the browser APIs, allowing it to steal information before it is encrypted and sent out to the network. Stolen information may include the user name and password for Outlook and information entered by the user when using a website to log into services such as online banking or internal Web applications for example. The stolen information is then sent to the command-and-control server.

Fig4_8.png

Figure 4. How the Carbon Grabber malware functions

Interestingly, the malicious emails have mostly been sent to the customer service departments of the targeted companies. Customer service departments are often granted a great deal of access within a company as they are required to perform a multitude of administrative and financial tasks on a daily basis.

The Carbon Grabber crimeware kit is known to be used in the wild and by more than one group. It is yet to be confirmed if the criminals behind the Technik Automobile spam campaign are purely financially motivated. One thing we know for sure is that if the attack is successful, the cybercriminals will have a foothold in the victim’s business. They would have the capability to send emails from the compromised Outlook account and to monitor for credentials entered into browsers. Symantec is continuing to monitor this crimeware as further activity may follow. 

Protection
Symantec has the following detections in place to protect against this threat:

AV

IPS

System Infected: Infostealer.Retgate Activity

Symantec recommends users to keep their security solutions up-to-date and to exercise caution when opening attachments found in unsolicited emails. Symantec customers that use the Symantec.Cloud service are protected from spam messages used to deliver malware. For the best possible protection, Symantec customers should also ensure they use the latest Symantec technologies incorporated into our consumer and enterprise solutions.