Group: Carbanak, Anunak, Carbon Spider
|Carbanak, Anunak, Carbon Spider|
|Aliases||Carbanak, Anunak, Carbon Spider|
Carbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.12
- Valid Accounts - Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.1
- New Service - Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.1
- Masquerading - Carbanak malware names itself "svchost.exe," which is the name of the Windows shared service host program.1
- Web Service - Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.6
- Remote Access Tools - Carbanak used legitimate programs such as AmmyAdmin and Team Viewer for remote interactive C2 to target systems.5
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 3, 2015.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
- Johnston, R. (2016, May 16). State of the Criminal Address. Retrieved December 7, 2017.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
- Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.