Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. [1] [2]
ID: S0030
Aliases: Carbanak, Anunak
Type: MALWARE
Platforms: Windows
Version: 1.0
Alias Descriptions
Name | Description |
---|---|
Carbanak | [2] |
Anunak | [3] [2] |
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1059 | Command-Line Interface | Carbanak has a command to create a reverse shell.[2] |
Enterprise | T1043 | Commonly Used Port | Carbanak uses Port Numbers 443 and 80 for the C2 server.[2] |
Enterprise | T1136 | Create Account | Carbanak can create a Windows account.[2] |
Enterprise | T1003 | Credential Dumping | Carbanak obtains Windows logon password details.[2] |
Enterprise | T1094 | Custom Command and Control Protocol | Carbanak uses a custom binary protocol for C2 communications.[2] |
Enterprise | T1024 | Custom Cryptographic Protocol | Carbanak uses XOR with random keys for its communications.[2] |
Enterprise | T1030 | Data Transfer Size Limits | Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2] |
Enterprise | T1114 | Email Collection | Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2] |
Enterprise | T1107 | File Deletion | Carbanak has a command to delete files.[2] |
Enterprise | T1056 | Input Capture | Carbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2] |
Enterprise | T1027 | Obfuscated Files or Information | Carbanak encrypts strings to make analysis more difficult.[2] |
Enterprise | T1057 | Process Discovery | Carbanak lists running processes.[2] |
Enterprise | T1055 | Process Injection | Carbanak downloads an executable and injects it directly into a new process.[2] |
Enterprise | T1012 | Query Registry | Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.[2] |
Enterprise | T1060 | Registry Run Keys / Startup Folder | Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2] |
Enterprise | T1219 | Remote Access Tools | Carbanak has a plugin for VNC and Ammyy Admin Tool.[2] |
Enterprise | T1076 | Remote Desktop Protocol | Carbanak enables concurrent Remote Desktop Protocol (RDP).[2] |
Enterprise | T1113 | Screen Capture | Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2] |
Enterprise | T1071 | Standard Application Layer Protocol | The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1] |
Enterprise | T1032 | Standard Cryptographic Protocol | Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode) and Base64 encoding.[1][2] |
Groups
Groups that use this software:
CarbanakFIN7