SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Carbanak

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]

ID: S0030
Associated Software: Anunak
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 01 April 2021
Version Permalink

Associated Software Descriptions

Name Description
Anunak

[3] [2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Carbanak has a command to create a reverse shell.[2]
Enterprise T1136 .001 Create Account: Local Account

Carbanak can create a Windows account.[2]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Carbanak encodes the message body of HTTP traffic with Base64.[1][2]
Enterprise T1030 Data Transfer Size Limits

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2]
Enterprise T1114 .001 Email Collection: Local Email Collection

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2]
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[1][2]
Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Carbanak has a command to delete files.[2]
Enterprise T1056 .001 Input Capture: Keylogging

Carbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2]
Enterprise T1027 Obfuscated Files or Information

Carbanak encrypts strings to make analysis more difficult.[2]
Enterprise T1003 OS Credential Dumping

Carbanak obtains Windows logon password details.[2]
Enterprise T1057 Process Discovery

Carbanak lists running processes.[2]
Enterprise T1055 .002 Process Injection: Portable Executable Injection

Carbanak downloads an executable and injects it directly into a new process.[2]
Enterprise T1012 Query Registry

Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[2]
Enterprise T1219 Remote Access Software

Carbanak has a plugin for VNC and Ammyy Admin Tool.[2]
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.[2]
Enterprise T1113 Screen Capture

Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2]

Groups That Use This Software

ID Name References
G0008 Carbanak

[1]
G0046 FIN7

[4][5][6]

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  2. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  3. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
  1. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  2. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  3. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.