Carbanak

Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1] [2]

ID: G0008
Aliases: Carbanak, Anunak, Carbon Spider
Contributors: Anastasios Pingios

Version: 1.0

Alias Descriptions

NameDescription
Carbanak[1] [5]
Anunak[5]
Carbon Spider[6]

Techniques Used

DomainIDNameUse
EnterpriseT1089Disabling Security ToolsCarbanak may use netsh to add local firewall rule exceptions.[3]
EnterpriseT1036MasqueradingCarbanak malware names itself "svchost.exe," which is the name of the Windows shared service host program.[1]
EnterpriseT1050New ServiceCarbanak malware installs itself as a service to provide persistence and SYSTEM privileges.[1]
EnterpriseT1219Remote Access ToolsCarbanak used legitimate programs such as AmmyAdmin and Team Viewer for remote interactive C2 to target systems.[3]
EnterpriseT1085Rundll32Carbanak installs VNC server software that executes through rundll32.[1]
EnterpriseT1078Valid AccountsCarbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.[1]
EnterpriseT1102Web ServiceCarbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.[4]

Software

IDNameTechniques
S0030CarbanakCommand-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Custom Command and Control Protocol, Custom Cryptographic Protocol, Data Transfer Size Limits, Email Collection, File Deletion, Input Capture, Obfuscated Files or Information, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Remote Access Tools, Remote Desktop Protocol, Screen Capture, Standard Application Layer Protocol, Standard Cryptographic Protocol
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0108netshConnection Proxy, Disabling Security Tools, Netsh Helper DLL, Security Software Discovery
S0029PsExecService Execution, Windows Admin Shares

References