1. Home
  2. Groups
  3. Carbanak

Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.[1][2][3][4][5]

ID: G0008
Associated Groups: Anunak
Contributors: Anastasios Pingios
Version: 2.0
Created: 31 May 2017
Last Modified: 18 October 2021

Associated Group Descriptions

Name Description
Anunak

[6]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .004 伪装: Masquerade Task or Service

Carbanak has copied legitimate service names to use for malicious services.[1]
.005 伪装: Match Legitimate Name or Location

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.[1]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.[1]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

Carbanak may use netsh to add local firewall rule exceptions.[7]
Enterprise T1078 有效账户

Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.[1]
Enterprise T1218 .011 系统二进制代理执行: Rundll32

Carbanak installs VNC server software that executes through rundll32.[1]
Enterprise T1102 .002 网络服务: Bidirectional Communication

Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.[8]
Enterprise T1588 .002 获取能力: Tool

Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.[1]
Enterprise T1219 远程访问软件

Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.[7]

Software

ID Name References Techniques
S0030 Carbanak [1] 创建账户: Local Account, 加密通道: Symmetric Cryptography, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 操作系统凭证转储, 数据传输大小限制, 数据编码: Standard Encoding, 查询注册表, 混淆文件或信息, 电子邮件收集: Local Email Collection, 移除指标: File Deletion, 输入捕获: Keylogging, 进程发现, 进程注入: Portable Executable Injection, 远程服务: Remote Desktop Protocol, 远程访问软件
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0108 netsh [7] 事件触发执行: Netsh Helper DLL, 代理, 妨碍防御: Disable or Modify System Firewall, 软件发现: Security Software Discovery
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares

References

  1. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  2. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  3. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
  4. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
  1. Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.
  2. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
  3. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  4. Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.