ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH Trojans
Three new HIDDEN COBRA tools; ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH for Windows, have been observed in attacks in Western Europe and North America. These tools appear to be used for variety of purposed including extracting financial information and acting as proxy servers.
Summary
Three new HIDDEN COBRA tools; ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH for Windows, have been observed in attacks in Western Europe and North America. These tools appear to be used for variety of purposed including extracting financial information and acting as proxy servers.
Threat details
Introduction
Details of three new remote access trojans created by the HIDDEN COBRA advanced persistent threat group have been released. ECCENTRICBANDWAGON, VIVACIOUSGIFT, and FASTCASH for Windows are believed to be used in highly targeted attacks against financial, engineering, government, and non-governmental organisations.
Delivery
At the time of publication, it is unclear how exactly how any of the three trojans are delivered, although there are unconfirmed reports indicating they may be distributed via spear phishing emails or as secondary payloads of other HIDDEN COBRA tools.
ECCENTRICBANDWAGON
All ECCENTRICBANDWAGON variants consist of a primary DLL file that, when executed, uses three separate files to screen shots, systems logs, and key logs. Some variants will encrypt these files using RC4, whilst others include basic clean-up functionality that will attempt to remove these log files once ECCENTRICBANDWAGON has finished before terminating all explorer.exe processes
VIVACIOUSGIFT
VIVACIOUSGIFT is used as a network proxy tool and consists of a single 32-bit EXE file containing a set of hard-coded strings. When executed, it will decode these strings to obtain source and proxy IP/Port combinations, before connecting to command and control server to receive a set of initialisation strings. If successful, it then connects to destination IP address starts its proxy functionality.
FASTCASH for Windows
FASTCASH appears to be used primarily against financial organisations and banking payment systems. It consists of two executable files, the first of which is used to identify and intercept specific requests containing Primary Account Numbers or ISO 8583 messages. The second file is injected into a running processes and is used to man-in-the-middle attacks using the previously intercepted requests.
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that the NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Definitive source of threat updates
Last edited: 3 September 2020 10:52 am