Skip to content

S0484 Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp‘s source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.123

Item Value
ID S0484
Associated Names
Version 1.1
Created 15 July 2020
Last Modified 25 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Carberp has connected to C2 servers via HTTP.5
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Carberp has maintained persistence by placing itself inside the current user’s startup folder.4
enterprise T1185 Browser Session Hijacking Carberp has captured credentials when a user performs login through a SSL session.45
enterprise T1555 Credentials from Password Stores Carberp‘s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.4
enterprise T1555.003 Credentials from Web Browsers Carberp‘s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.4
enterprise T1041 Exfiltration Over C2 Channel Carberp has exfiltrated data via HTTP to already established C2 servers.45
enterprise T1068 Exploitation for Privilege Escalation Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.64
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Carberp has created a hidden file in the Startup folder of the current user.5
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.4
enterprise T1105 Ingress Tool Transfer Carberp can download and execute new plugins from the C2 server. 45
enterprise T1056 Input Capture -
enterprise T1056.004 Credential API Hooking Carberp has hooked several Windows API functions to steal credentials.4
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Carberp has masqueraded as Windows system file names, as well as “chkntfs.exe” and “syscron.exe”.45
enterprise T1106 Native API Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.5
enterprise T1027 Obfuscated Files or Information Carberp has used XOR-based encryption to mask C2 server locations within the trojan.4
enterprise T1542 Pre-OS Boot -
enterprise T1542.003 Bootkit Carberp has installed a bootkit on the system to maintain persistence.6
enterprise T1057 Process Discovery Carberp has collected a list of running processes.5
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Carberp‘s bootkit can inject a malicious DLL into the address space of running processes.6
enterprise T1055.004 Asynchronous Procedure Call Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.4
enterprise T1012 Query Registry Carberp has searched the Image File Execution Options registry key for “Debugger” within every subkey.4
enterprise T1021 Remote Services -
enterprise T1021.005 VNC Carberp can start a remote VNC session by downloading a new plugin.4
enterprise T1014 Rootkit Carberp has used user mode rootkit techniques to remain hidden on the system.4
enterprise T1113 Screen Capture Carberp can capture display screenshots with the screens_dll.dll plugin.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Carberp has queried the infected system’s registry searching for specific registry keys associated with antivirus products.4
enterprise T1082 System Information Discovery Carberp has collected the operating system version from the infected system.4
enterprise T1497 Virtualization/Sandbox Evasion Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.6