Carbanak
Associated Group Descriptions |
|
Name | Description |
---|---|
Anunak | (Citation: Fox-It Anunak Feb 2015) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.(Citation: Kaspersky Carbanak) |
Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Carbanak may use netsh to add local firewall rule exceptions.(Citation: Group-IB Anunak) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Carbanak has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak) |
.005 | Masquerading: Match Legitimate Name or Location |
Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.(Citation: Kaspersky Carbanak) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
Carbanak has obtained and used open-source tools such as PsExec and Mimikatz.(Citation: Kaspersky Carbanak) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
Carbanak installs VNC server software that executes through rundll32.(Citation: Kaspersky Carbanak) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.(Citation: Forcepoint Carbanak Google C2) |
References
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Group-IB and Fox-IT. (2014, December). Anunak: APT against financial institutions. Retrieved April 20, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
- CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
- Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.
- Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.