SOFTWARE
Overview 3PARA RAT 4H RAT adbupd Adups ADVSTORESHELL Agent Tesla Agent.btz Allwinner Android Overlay Malware Android/Chuli.A ANDROIDOS_ANSERVER.A AndroRAT Arp ASPXSpy Astaroth at AuditCred AutoIt backdoor Azorult Backdoor.Oldrea BACKSPACE BADCALL BADNEWS BadPatch Bandook Bankshot BBSRAT BISCUIT Bisonal BITSAdmin BLACKCOFFEE BlackEnergy BONDUPDATER BOOTRASH BrainTest Brave Prince Briba BS2005 BUBBLEWRAP Cachedump CALENDAR Calisto CallMe Cannon Carbanak Carbon Cardinal RAT Catchamas CCBkdr certutil Chaos Charger ChChes Cherry Picker China Chopper CHOPSTICK CloudDuke cmd Cobalt Strike Cobian RAT CoinTicker Comnie ComRAT CORALDECK CORESHELL CosmicDuke CozyCar Crimson CrossRAT DarkComet Daserf DDKONG DealersChoice Dendroid Denis Derusbi Dipsind DOGCALL Dok Downdelph DownPaper DressCode DroidJack dsquery DualToy Duqu DustySky Dyre Ebury Elise ELMER Emissary Emotet Empire Epic EvilGrab Exaramel Expand FakeM FALLCHILL Felismus FELIXROOT Fgdump Final1stspy FinFisher Flame FLASHFLOOD FLIPSIDE Forfiles FruitFly FTP Gazer GeminiDuke gh0st RAT GLOOXMAIL Gold Dragon Gooligan GravityRAT GreyEnergy gsecdump H1N1 Hacking Team UEFI Rootkit HALFBAKED HAMMERTOSS HAPPYWORK HARDRAIN Havij hcdLoader HDoor Helminth Hi-Zor HIDEDRV Hikit HOMEFRY HOPLIGHT HTRAN HTTPBrowser httpclient HummingBad HummingWhale Hydraq ifconfig iKitten Impacket InnaputRAT InvisiMole Invoke-PSImage ipconfig ISMInjector Ixeshe Janicab JHUHUGIT JPIN jRAT Judy KARAE Kasidet Kazuar Keydnap KEYMARBLE KeyRaider Koadic Komplex KOMPROGO KONNI Kwampirs LaZagne Linfo Linux Rabbit LockerGoga LOWBALL Lslsass Lurid MacSpy Marcher Matroyshka MazarBOT meek Micropsia Mimikatz MimiPenguin Miner-C MiniDuke MirageFox Mis-Type Misdat Mivast MobileOrder MoonWind More_eggs Mosquito MURKYTOP Naid NanHaiShu NanoCore NavRAT nbtstat NDiskMonitor Nerex Net Net Crawler NETEAGLE netsh netstat NetTraveler NETWIRE Nidiran Nltest NOKKI NotCompatible NotPetya OBAD OceanSalt Octopus OLDBAIT OldBoot Olympic Destroyer OnionDuke OopsIE Orz OSInfo OSX_OCEANLOTUS.D OwaAuth P2P ZeuS Pasam Pass-The-Hash Toolkit Pegasus for Android Pegasus for iOS PHOREAL PinchDuke Ping Pisloader PJApps PLAINTEE PlugX pngdowner PoisonIvy POORAIM PoshC2 POSHSPY Power Loader PowerDuke POWERSOURCE PowerSploit POWERSTATS POWERTON POWRUNER Prikormka Proton Proxysvc PsExec Psylo Pteranodon PUNCHBUGGY PUNCHTRACK Pupy pwdump QUADAGENT QuasarRAT RARSTONE RATANKBA RawDisk RawPOS RCSAndroid Reaver RedDrop RedLeaves Reg Regin Remcos Remexi RemoteCMD Remsec Responder RGDoor RIPTIDE ROCKBOOT RogueRobin ROKRAT route Rover RTM Ruler RuMMS RunningRAT S-Type Sakula SamSam schtasks SDelete SeaDuke Seasalt SEASHARPEE Shamoon ShiftyBug SHIPSHAPE SHOTPUT SHUTTERSPEED Skeleton Key Skygofree SLOWDRIFT Smoke Loader SNUGRIDE Socksbot SOUNDBITE SPACESHIP SpeakUp spwebmember SpyDealer SpyNote RAT sqlmap SslMM Starloader Stealth Mango StreamEx Sykipot SynAck Sys10 Systeminfo T9000 Taidoor Tangelo Tasklist TDTESS TEXTMATE TINYTYPHON TinyZBot Tor TrickBot Trojan-SMS.AndroidOS.Agent.ao Trojan-SMS.AndroidOS.FakeInst.a Trojan-SMS.AndroidOS.OpFake.a Trojan.Karagany Trojan.Mebromi Truvasys TURNEDUP Twitoor TYPEFRAME UACMe UBoatRAT Umbreon Unknown Logger UPPERCUT Uroburos USBStealer Vasport VERMIN Volgmer WannaCry WEBC2 Wiarp Windows Credential Editor WINDSHIELD WINERACK Winexe Wingbird WinMM Winnti Wiper WireLurker X-Agent for Android XAgentOSX Xbash Xbot xCmd XcodeGhost XLoader XTunnel YiSpecter yty Zebrocy ZergHelper Zeroaccess ZeroT Zeus Panda ZLib zwShell
  1. Home
  2. Software
  3. Carbanak

Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]

ID: S0030
Associated Software: Anunak

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
Anunak[3] [2]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceCarbanak has a command to create a reverse shell.[2]
EnterpriseT1043Commonly Used PortCarbanak uses Port Numbers 443 and 80 for the C2 server.[2]
EnterpriseT1136Create AccountCarbanak can create a Windows account.[2]
EnterpriseT1003Credential DumpingCarbanak obtains Windows logon password details.[2]
EnterpriseT1094Custom Command and Control ProtocolCarbanak uses a custom binary protocol for C2 communications.[2]
EnterpriseT1024Custom Cryptographic ProtocolCarbanak uses XOR with random keys for its communications.[2]
EnterpriseT1030Data Transfer Size LimitsCarbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2]
EnterpriseT1114Email CollectionCarbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2]
EnterpriseT1107File DeletionCarbanak has a command to delete files.[2]
EnterpriseT1056Input CaptureCarbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2]
EnterpriseT1027Obfuscated Files or InformationCarbanak encrypts strings to make analysis more difficult.[2]
EnterpriseT1057Process DiscoveryCarbanak lists running processes.[2]
EnterpriseT1055Process InjectionCarbanak downloads an executable and injects it directly into a new process.[2]
EnterpriseT1012Query RegistryCarbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[2]
EnterpriseT1060Registry Run Keys / Startup FolderCarbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2]
EnterpriseT1219Remote Access ToolsCarbanak has a plugin for VNC and Ammyy Admin Tool.[2]
EnterpriseT1076Remote Desktop ProtocolCarbanak enables concurrent Remote Desktop Protocol (RDP).[2]
EnterpriseT1113Screen CaptureCarbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2]
EnterpriseT1071Standard Application Layer ProtocolThe Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1]
EnterpriseT1032Standard Cryptographic ProtocolCarbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding.[1][2]

Groups

Groups that use this software:

Carbanak
FIN7

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  2. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  1. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.