Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.[1][2][3][4][5]

ID: G0008
Associated Groups: Anunak
Contributors: Anastasios Pingios
Version: 2.0
Created: 31 May 2017
Last Modified: 18 October 2021

Associated Group Descriptions

Name Description
Anunak

[6]

Techniques Used

Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.[1]

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Carbanak may use netsh to add local firewall rule exceptions.[7]

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Carbanak has copied legitimate service names to use for malicious services.[1]

.005 Masquerading: Match Legitimate Name or Location

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.[1]

Enterprise T1219 Remote Access Software

Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.[7]

Enterprise T1218 .011 Signed Binary Proxy Execution: Rundll32

Carbanak installs VNC server software that executes through rundll32.[1]

Enterprise T1078 Valid Accounts

Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.[1]

Enterprise T1102 .002 Web Service: Bidirectional Communication

Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.[8]

Software

ID Name References Techniques
S0030 Carbanak [1] Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Commonly Used Port, Create Account: Local Account, Data Encoding: Standard Encoding, Data Transfer Size Limits, Email Collection: Local Email Collection, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Input Capture: Keylogging, Obfuscated Files or Information, OS Credential Dumping, Process Discovery, Process Injection: Portable Executable Injection, Query Registry, Remote Access Software, Remote Services: Remote Desktop Protocol, Screen Capture
S0002 Mimikatz [1] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0108 netsh [7] Event Triggered Execution: Netsh Helper DLL, Impair Defenses: Disable or Modify System Firewall, Proxy, Software Discovery: Security Software Discovery
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References