Carbanak
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1] |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2] |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1136 | .001 | Create Account: Local Account | |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Carbanak encodes the message body of HTTP traffic with Base64.[1][2] |
| Enterprise | T1030 | Data Transfer Size Limits |
Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2] |
|
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2] |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[1][2] |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion | |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Carbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2] |
| Enterprise | T1027 | Obfuscated Files or Information |
Carbanak encrypts strings to make analysis more difficult.[2] |
|
| Enterprise | T1003 | OS Credential Dumping | ||
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Carbanak downloads an executable and injects it directly into a new process.[2] |
| Enterprise | T1012 | Query Registry |
Carbanak checks the Registry key |
|
| Enterprise | T1219 | Remote Access Tools | ||
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.[2] |
| Enterprise | T1113 | Screen Capture |
Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2] |
|
Groups That Use This Software
References
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.