Carberp
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit |
Carberp has used user mode rootkit techniques to remain hidden on the system.[4] |
|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[4] |
|
| .003 | Credentials from Web Browsers |
Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[4] |
||
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[4][5] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Carberp has maintained persistence by placing itself inside the current user's startup folder.[4] |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools |
Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[4] |
| Enterprise | T1113 | 屏幕捕获 |
Carberp can capture display screenshots with the screens_dll.dll plugin.[4] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1106 | 本机API |
Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[5] |
|
| Enterprise | T1068 | 权限提升漏洞利用 |
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[6][4] |
|
| Enterprise | T1012 | 查询注册表 |
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[4] |
|
| Enterprise | T1185 | 浏览器会话劫持 |
Carberp has captured credentials when a user performs login through a SSL session.[4][5] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[4] |
| Enterprise | T1082 | 系统信息发现 |
Carberp has collected the operating system version from the infected system.[4] |
|
| Enterprise | T1497 | 虚拟化/沙盒规避 |
Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[6] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[4] |
| Enterprise | T1105 | 输入工具传输 |
Carberp can download and execute new plugins from the C2 server. [4][5] |
|
| Enterprise | T1056 | .004 | 输入捕获: Credential API Hooking |
Carberp has hooked several Windows API functions to steal credentials.[4] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection |
Carberp's bootkit can inject a malicious DLL into the address space of running processes.[6] |
| .004 | 进程注入: Asynchronous Procedure Call |
Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.[4] |
||
| Enterprise | T1021 | .005 | 远程服务: VNC |
Carberp can start a remote VNC session by downloading a new plugin.[4] |
| Enterprise | T1041 | 通过C2信道渗出 |
Carberp has exfiltrated data via HTTP to already established C2 servers.[4][5] |
|
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Carberp has created a hidden file in the Startup folder of the current user.[5] |
| Enterprise | T1542 | .003 | 预操作系统引导: Bootkit |
Carberp has installed a bootkit on the system to maintain persistence.[6] |
References
- Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.
- RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.