S0484 Carberp
Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp‘s source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.123
| Item | Value |
|---|---|
| ID | S0484 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 15 July 2020 |
| Last Modified | 25 August 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Carberp has connected to C2 servers via HTTP.5 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Carberp has maintained persistence by placing itself inside the current user’s startup folder.4 |
| enterprise | T1185 | Browser Session Hijacking | Carberp has captured credentials when a user performs login through a SSL session.45 |
| enterprise | T1555 | Credentials from Password Stores | Carberp‘s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.4 |
| enterprise | T1555.003 | Credentials from Web Browsers | Carberp‘s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.4 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Carberp has exfiltrated data via HTTP to already established C2 servers.45 |
| enterprise | T1068 | Exploitation for Privilege Escalation | Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.64 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Carberp has created a hidden file in the Startup folder of the current user.5 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.4 |
| enterprise | T1105 | Ingress Tool Transfer | Carberp can download and execute new plugins from the C2 server. 45 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.004 | Credential API Hooking | Carberp has hooked several Windows API functions to steal credentials.4 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Carberp has masqueraded as Windows system file names, as well as “chkntfs.exe” and “syscron.exe”.45 |
| enterprise | T1106 | Native API | Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.5 |
| enterprise | T1027 | Obfuscated Files or Information | Carberp has used XOR-based encryption to mask C2 server locations within the trojan.4 |
| enterprise | T1542 | Pre-OS Boot | - |
| enterprise | T1542.003 | Bootkit | Carberp has installed a bootkit on the system to maintain persistence.6 |
| enterprise | T1057 | Process Discovery | Carberp has collected a list of running processes.5 |
| enterprise | T1055 | Process Injection | - |
| enterprise | T1055.001 | Dynamic-link Library Injection | Carberp‘s bootkit can inject a malicious DLL into the address space of running processes.6 |
| enterprise | T1055.004 | Asynchronous Procedure Call | Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.4 |
| enterprise | T1012 | Query Registry | Carberp has searched the Image File Execution Options registry key for “Debugger” within every subkey.4 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.005 | VNC | Carberp can start a remote VNC session by downloading a new plugin.4 |
| enterprise | T1014 | Rootkit | Carberp has used user mode rootkit techniques to remain hidden on the system.4 |
| enterprise | T1113 | Screen Capture | Carberp can capture display screenshots with the screens_dll.dll plugin.4 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Carberp has queried the infected system’s registry searching for specific registry keys associated with antivirus products.4 |
| enterprise | T1082 | System Information Discovery | Carberp has collected the operating system version from the infected system.4 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.6 |
References
-
Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020. ↩
-
Kaspersky Lab’s Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017. ↩
-
RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020. ↩
-
Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. ↩↩↩↩↩↩↩↩
-
Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020. ↩↩↩↩