Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Carbanak
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Carbanak
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Carbanak

Carbanak is a cybercriminal group that has used Carbanak malware to target financial institutions since at least 2013. Carbanak may be linked to groups tracked separately as Cobalt Group and FIN7 that have also used Carbanak malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)
ID: G0008
Associated Groups: Anunak
Version: 2.0
Created: 31 May 2017
Last Modified: 18 Oct 2021

Associated Group Descriptions
Name Description
Anunak (Citation: Fox-It Anunak Feb 2015)

Techniques Used
Domain ID Name Use
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.(Citation: Kaspersky Carbanak)
Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Carbanak may use netsh to add local firewall rule exceptions.(Citation: Group-IB Anunak)
Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Carbanak has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak)
.005 Masquerading: Match Legitimate Name or Location

Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.(Citation: Kaspersky Carbanak)

Enterprise T1588 .002 Obtain Capabilities: Tool

Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.(Citation: Kaspersky Carbanak)
Enterprise T1218 .011 System Binary Proxy Execution: Rundll32

Carbanak installs VNC server software that executes through rundll32.(Citation: Kaspersky Carbanak)
Enterprise T1102 .002 Web Service: Bidirectional Communication

Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.(Citation: Forcepoint Carbanak Google C2)

Software
ID Name References Techniques
S0108 netsh (Citation: Group-IB Anunak) (Citation: TechNet Netsh) Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0030 Carbanak (Citation: Anunak) (Citation: FireEye CARBANAK June 2017) (Citation: Fox-It Anunak Feb 2015) (Citation: Kaspersky Carbanak) OS Credential Dumping, Screen Capture, Web Protocols, Query Registry, Custom Command and Control Protocol, Remote Desktop Protocol, Windows Command Shell, Portable Executable Injection, Local Email Collection, Process Discovery, Obfuscated Files or Information, Remote Access Software, Keylogging, Registry Run Keys / Startup Folder, Local Account, Symmetric Cryptography, File Deletion, Standard Encoding, Commonly Used Port, Data Transfer Size Limits
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Kaspersky Carbanak) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0029 PsExec (Citation: Kaspersky Carbanak) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  2. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  3. Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
  4. Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.
  5. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  6. Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
  7. CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
  8. Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.
  9. Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.