9. Anunak
• Spawns into a new svchost.exe process
• Gathers information of the system
• Anti-reversing, terminates specific AVs
• Privilege escalation
• Enables RDP
• POS malware functions
• Local password stealer
• Scrounging Outlook PST files
• Target iFobs banking application
• Backdoor commands (downloads and executes additional malware)
13. Conclusions
• Victims
• Weak detection security controls
• Missing or poor readiness for security incidents
• AV detection low to zero scores
• Reluctant to cooperate with authorities
• Features of the operation indicating to organized crime activities
• Targeted social engineering
• Several malicious software used
• Attacking methods such as pass-the-hash
• Purchase of certificates
• Multiple hosts used in Europe mainly
• Usage of public cloud services, Google Docs and Pastebin
• Investigation of malicious software and activities give the impression that distinct parties involved
• Underground cooperation or trading