Skip to content

G0008 Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.12345

Item Value
ID G0008
Associated Names Anunak
Version 2.0
Created 31 May 2017
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Anunak 6

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Carbanak may use netsh to add local firewall rule exceptions.7
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service Carbanak has copied legitimate service names to use for malicious services.1
enterprise T1036.005 Match Legitimate Name or Location Carbanak has named malware “svchost.exe,” which is the name of the Windows shared service host program.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.1
enterprise T1219 Remote Access Software Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.7
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 Carbanak installs VNC server software that executes through rundll32.1
enterprise T1078 Valid Accounts Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Carbanak has used a VBScript named “ggldr” that uses Google Apps Script, Sheets, and Forms services for C2.8

Software

ID Name References Techniques
S0030 Carbanak 1 Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Local Account:Create Account Standard Encoding:Data Encoding Data Transfer Size Limits Local Email Collection:Email Collection Symmetric Cryptography:Encrypted Channel File Deletion:Indicator Removal Keylogging:Input Capture Obfuscated Files or Information OS Credential Dumping Process Discovery Portable Executable Injection:Process Injection Query Registry Remote Access Software Remote Desktop Protocol:Remote Services Screen Capture
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0108 netsh 7 Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

  1. Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. 

  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. 

  3. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018. 

  4. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021. 

  5. Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021. 

  6. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017. 

  7. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016. 

  8. Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.