Skip to content

S0030 Carbanak

Carbanak is a full-featured, remote backdoor used by a group of the same name (Carbanak). It is intended for espionage, data exfiltration, and providing remote access to infected machines. 1 2

Item Value
ID S0030
Associated Names Anunak
Version 1.1
Created 31 May 2017
Last Modified 01 April 2021
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Anunak 3 2

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols The Carbanak malware communicates to its command server using HTTP with an encrypted payload.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.2
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Carbanak has a command to create a reverse shell.2
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Carbanak can create a Windows account.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Carbanak encodes the message body of HTTP traffic with Base64.12
enterprise T1030 Data Transfer Size Limits Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .2
enterprise T1114 Email Collection -
enterprise T1114.001 Local Email Collection Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.2
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.12
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Carbanak has a command to delete files.2
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Carbanak logs key strokes for configured processes and sends them back to the C2 server.12
enterprise T1027 Obfuscated Files or Information Carbanak encrypts strings to make analysis more difficult.2
enterprise T1003 OS Credential Dumping Carbanak obtains Windows logon password details.2
enterprise T1057 Process Discovery Carbanak lists running processes.2
enterprise T1055 Process Injection -
enterprise T1055.002 Portable Executable Injection Carbanak downloads an executable and injects it directly into a new process.2
enterprise T1012 Query Registry Carbanak checks the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for proxy configurations information.2
enterprise T1219 Remote Access Software Carbanak has a plugin for VNC and Ammyy Admin Tool.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.2
enterprise T1113 Screen Capture Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.2

Groups That Use This Software

ID Name References
G0046 FIN7 456789
G0008 Carbanak 1


Back to top