threatpost[.]com/carbanak-attackers-devise-clever-new-persistence-trick/125457/
"Carbanak Attackers Devise Clever New Persistence Trick"
To infect you with malware the bad guys have two main tasks -- get the malware on your system, e.g. via malicious emails, & once they're there, staying there undetected. This method of sticking around after infection started as theory proposed at security-related conferences, and now has moved to real life use -- over time it may become much more wide spread.
Hackers behind the Carbanak criminal gang have devised a clever way to gain persistence on targeted systems to more effectively pull off financially motivated crimes. The technique involves creating a bogus instance of a Microsoft Windows app compatibility feature.On Wednesday, Mandiant, FireEye’s incident response team, posted a technical description of the technique, which it first observed earlier this year. More specifically, researchers say the Carbanak group (also known as FIN7) leverages what are called shim databases. According to Mandiant, shim databases are part of Microsoft’s Windows Application Compatibility Infrastructure.
The database description used for the shim database registration is conveniently and covertly named “Microsoft KB2832077” – as in Knowledge Base patch.
Mitigation, Mandiant said, includes monitoring for new shim database files created in directories “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”. Researchers also recommend monitoring process execution events and command line arguments for malicious use of the “sdbinst.exe” utility.