Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.[1][2][3]

ID: S0484
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 15 July 2020
Last Modified: 10 August 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Carberp has connected to C2 servers via HTTP.[4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carberp has maintained persistence by placing itself inside the current user's startup folder.[5]

Enterprise T1555 Credentials from Password Stores

Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[5]

.003 Credentials from Web Browsers

Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[5]

Enterprise T1041 Exfiltration Over C2 Channel

Carberp has exfiltrated data via HTTP to already established C2 servers.[5][4]

Enterprise T1068 Exploitation for Privilege Escalation

Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[6][5]

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Carberp has created a hidden file in the Startup folder of the current user.[4]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[5]

Enterprise T1105 Ingress Tool Transfer

Carberp can download and execute new plugins from the C2 server. [5][4]

Enterprise T1056 .004 Input Capture: Credential API Hooking

Carberp has hooked several Windows API functions during its Man in the Browser attack to steal credentials.[5]

Enterprise T1185 Man in the Browser

Carberp has captured credentials when a user performs login through a SSL session.[5][4]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[5][4]

Enterprise T1106 Native API

Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[4]

Enterprise T1027 Obfuscated Files or Information

Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[5]

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Carberp has installed a bootkit on the system to maintain persistence.[6]

Enterprise T1057 Process Discovery

Carberp has collected a list of running processes.[4]

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Carberp's bootkit can inject a malicious DLL into the address space of running processes.[6]

.004 Process Injection: Asynchronous Procedure Call

Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.[5]

Enterprise T1012 Query Registry

Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[5]

Enterprise T1021 .005 Remote Services: VNC

Carberp can start a remote VNC session by downloading a new plugin.[5]

Enterprise T1014 Rootkit

Carberp has used user mode rootkit techniques to remain hidden on the system.[5]

Enterprise T1113 Screen Capture

Carberp can capture display screenshots with the screens_dll.dll plugin.[5]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[5]

Enterprise T1082 System Information Discovery

Carberp has collected the operating system version from the infected system.[5]

Enterprise T1497 Virtualization/Sandbox Evasion

Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[6]

References