Skip to content

G0008 Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.12345

Item Value
ID G0008
Associated Names Anunak
Version 2.0
Created 31 May 2017
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Anunak 6

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Carbanak may use netsh to add local firewall rule exceptions.7
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Carbanak has copied legitimate service names to use for malicious services.1
enterprise T1036.005 Match Legitimate Name or Location Carbanak has named malware “svchost.exe,” which is the name of the Windows shared service host program.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.1
enterprise T1219 Remote Access Software Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.7
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Carbanak installs VNC server software that executes through rundll32.1
enterprise T1078 Valid Accounts Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Carbanak has used a VBScript named “ggldr” that uses Google Apps Script, Sheets, and Forms services for C2.8


ID Name References Techniques
S0030 Carbanak - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Commonly Used Port Local Account:Create Account Standard Encoding:Data Encoding Data Transfer Size Limits Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal on Host Keylogging:Input Capture Obfuscated Files or Information OS Credential Dumping Process Discovery Portable Executable Injection:Process Injection Query Registry Remote Access Software Remote Desktop Protocol:Remote Services Screen Capture
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0108 netsh - Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services


Back to top