Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.  
|Enterprise||T1089||Disabling Security Tools||Carbanak may use netsh to add local firewall rule exceptions.|
|Enterprise||T1036||Masquerading||Carbanak malware names itself "svchost.exe," which is the name of the Windows shared service host program.|
|Enterprise||T1050||New Service||Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.|
|Enterprise||T1219||Remote Access Tools||Carbanak used legitimate programs such as AmmyAdmin and Team Viewer for remote interactive C2 to target systems.|
|Enterprise||T1085||Rundll32||Carbanak installs VNC server software that executes through rundll32.|
|Enterprise||T1078||Valid Accounts||Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.|
|Enterprise||T1102||Web Service||Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.|
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.