Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]

ID: S0030
Associated Software: Anunak
Platforms: Windows
Version: 1.1
Created: 31 May 2017
Last Modified: 01 April 2021

Associated Software Descriptions

Name Description

[3] [2]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Carbanak has a command to create a reverse shell.[2]

Enterprise T1136 .001 Create Account: Local Account

Carbanak can create a Windows account.[2]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Carbanak encodes the message body of HTTP traffic with Base64.[1][2]

Enterprise T1030 Data Transfer Size Limits

Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2]

Enterprise T1114 .001 Email Collection: Local Email Collection

Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[1][2]

Enterprise T1070 .004 Indicator Removal: File Deletion

Carbanak has a command to delete files.[2]

Enterprise T1056 .001 Input Capture: Keylogging

Carbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2]

Enterprise T1027 Obfuscated Files or Information

Carbanak encrypts strings to make analysis more difficult.[2]

Enterprise T1003 OS Credential Dumping

Carbanak obtains Windows logon password details.[2]

Enterprise T1057 Process Discovery

Carbanak lists running processes.[2]

Enterprise T1055 .002 Process Injection: Portable Executable Injection

Carbanak downloads an executable and injects it directly into a new process.[2]

Enterprise T1012 Query Registry

Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[2]

Enterprise T1219 Remote Access Software

Carbanak has a plugin for VNC and Ammyy Admin Tool.[2]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.[2]

Enterprise T1113 Screen Capture

Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2]

Groups That Use This Software

ID Name References
G0008 Carbanak


G0046 FIN7