Carbanak
Associated Software Descriptions
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1136 | .001 | 创建账户: Local Account | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[1][2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[2] |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1113 | 屏幕捕获 |
Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.[2] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.[1] |
| Enterprise | T1003 | 操作系统凭证转储 | ||
| Enterprise | T1030 | 数据传输大小限制 |
Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .[2] |
|
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Carbanak encodes the message body of HTTP traffic with Base64.[1][2] |
| Enterprise | T1012 | 查询注册表 |
Carbanak checks the Registry key |
|
| Enterprise | T1027 | 混淆文件或信息 |
Carbanak encrypts strings to make analysis more difficult.[2] |
|
| Enterprise | T1114 | .001 | 电子邮件收集: Local Email Collection |
Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.[2] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Carbanak logs key strokes for configured processes and sends them back to the C2 server.[1][2] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .002 | 进程注入: Portable Executable Injection |
Carbanak downloads an executable and injects it directly into a new process.[2] |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol |
Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.[2] |
| Enterprise | T1219 | 远程访问软件 | ||
Groups That Use This Software
References
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.