Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]

ID: S0030
Associated Software: Anunak

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Anunak[3] [2]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceCarbanak has a command to create a reverse shell.[2]
EnterpriseT1043Commonly Used PortCarbanak uses Port Numbers 443 and 80 for the C2 server.[2]
EnterpriseT1136Create AccountCarbanak can create a Windows account.[2]
EnterpriseT1003Credential DumpingCarbanak obtains Windows logon password details.[2]
EnterpriseT1094Custom Command and Control ProtocolCarbanak uses a custom binary protocol for C2 communications.[2]
EnterpriseT1024Custom Cryptographic ProtocolCarbanak uses XOR with random keys for its communications.[2]
EnterpriseT1030Data Transfer Size LimitsCarbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2]
EnterpriseT1114Email CollectionCarbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2]
EnterpriseT1107File DeletionCarbanak has a command to delete files.[2]
EnterpriseT1056Input CaptureCarbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2]
EnterpriseT1027Obfuscated Files or InformationCarbanak encrypts strings to make analysis more difficult.[2]
EnterpriseT1057Process DiscoveryCarbanak lists running processes.[2]
EnterpriseT1055Process InjectionCarbanak downloads an executable and injects it directly into a new process.[2]
EnterpriseT1012Query RegistryCarbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[2]
EnterpriseT1060Registry Run Keys / Startup FolderCarbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2]
EnterpriseT1219Remote Access ToolsCarbanak has a plugin for VNC and Ammyy Admin Tool.[2]
EnterpriseT1076Remote Desktop ProtocolCarbanak enables concurrent Remote Desktop Protocol (RDP).[2]
EnterpriseT1113Screen CaptureCarbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2]
EnterpriseT1071Standard Application Layer ProtocolThe Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1]
EnterpriseT1032Standard Cryptographic ProtocolCarbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding.[1][2]

Groups

Groups that use this software:

Carbanak
FIN7

References