S0030 Carbanak
Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. 1 2
| Item | Value |
|---|---|
| ID | S0030 |
| Associated Names | Anunak |
| Type | MALWARE |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 01 April 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Anunak | 3 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | The Carbanak malware communicates to its command server using HTTP with an encrypted payload.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.2 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Carbanak has a command to create a reverse shell.2 |
| enterprise | T1136 | Create Account | - |
| enterprise | T1136.001 | Local Account | Carbanak can create a Windows account.2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Carbanak encodes the message body of HTTP traffic with Base64.12 |
| enterprise | T1030 | Data Transfer Size Limits | Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .2 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.2 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Carbanak has a command to delete files.2 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Carbanak logs key strokes for configured processes and sends them back to the C2 server.12 |
| enterprise | T1027 | Obfuscated Files or Information | Carbanak encrypts strings to make analysis more difficult.2 |
| enterprise | T1003 | OS Credential Dumping | Carbanak obtains Windows logon password details.2 |
| enterprise | T1057 | Process Discovery | Carbanak lists running processes.2 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.002 | Portable Executable Injection | Carbanak downloads an executable and injects it directly into a new process.2 |
| enterprise | T1012 | Query Registry | Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.2 |
| enterprise | T1219 | Remote Access Software | Carbanak has a plugin for VNC and Ammyy Admin Tool.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.2 |
| enterprise | T1113 | Screen Capture | Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.2 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 | 745869 |
| G0008 | Carbanak | 1 |
References
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. ↩↩↩↩↩↩
-
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017. ↩
-
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. ↩
-
Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018. ↩
-
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. ↩
-
Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. ↩
-
Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. ↩
-
The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022. ↩