Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Carberp has maintained persistence by placing itself inside the current user's startup folder.[5] |
Enterprise | T1185 | Browser Session Hijacking |
Carberp has captured credentials when a user performs login through a SSL session.[5][4] |
|
Enterprise | T1555 | Credentials from Password Stores |
Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[5] |
|
.003 | Credentials from Web Browsers |
Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[5] |
||
Enterprise | T1041 | Exfiltration Over C2 Channel |
Carberp has exfiltrated data via HTTP to already established C2 servers.[5][4] |
|
Enterprise | T1068 | Exploitation for Privilege Escalation |
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[6][5] |
|
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Carberp has created a hidden file in the Startup folder of the current user.[4] |
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[5] |
Enterprise | T1105 | Ingress Tool Transfer |
Carberp can download and execute new plugins from the C2 server. [5][4] |
|
Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Carberp has hooked several Windows API functions to steal credentials.[5] |
Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[5][4] |
Enterprise | T1106 | Native API |
Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[4] |
|
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[5] |
Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
Carberp has installed a bootkit on the system to maintain persistence.[6] |
Enterprise | T1057 | Process Discovery | ||
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Carberp's bootkit can inject a malicious DLL into the address space of running processes.[6] |
.004 | Process Injection: Asynchronous Procedure Call |
Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.[5] |
||
Enterprise | T1012 | Query Registry |
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[5] |
|
Enterprise | T1021 | .005 | Remote Services: VNC |
Carberp can start a remote VNC session by downloading a new plugin.[5] |
Enterprise | T1014 | Rootkit |
Carberp has used user mode rootkit techniques to remain hidden on the system.[5] |
|
Enterprise | T1113 | Screen Capture |
Carberp can capture display screenshots with the screens_dll.dll plugin.[5] |
|
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[5] |
Enterprise | T1082 | System Information Discovery |
Carberp has collected the operating system version from the infected system.[5] |
|
Enterprise | T1497 | Virtualization/Sandbox Evasion |
Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[6] |