Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Carberp

Carberp is a credential and information stealing malware that has been active since at least 2009. Carberp's source code was leaked online in 2013, and subsequently used as the foundation for the Carbanak backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)
ID: S0484
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 15 Jul 2020
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Carberp has connected to C2 servers via HTTP.(Citation: Trusteer Carberp October 2010)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Carberp has maintained persistence by placing itself inside the current user's startup folder.(Citation: Prevx Carberp March 2011)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.(Citation: Prevx Carberp March 2011)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Carberp has created a hidden file in the Startup folder of the current user.(Citation: Trusteer Carberp October 2010)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.(Citation: Prevx Carberp March 2011)

Enterprise T1056 .004 Input Capture: Credential API Hooking

Carberp has hooked several Windows API functions to steal credentials.(Citation: Prevx Carberp March 2011)

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Carberp has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011)

Enterprise T1542 .003 Pre-OS Boot: Bootkit

Carberp has installed a bootkit on the system to maintain persistence.(Citation: ESET Carberp March 2012)

Enterprise T1055 .001 Process Injection: Dynamic-link Library Injection

Carberp's bootkit can inject a malicious DLL into the address space of running processes.(Citation: ESET Carberp March 2012)

.004 Process Injection: Asynchronous Procedure Call

Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp March 2011)

Enterprise T1021 .005 Remote Services: VNC

Carberp can start a remote VNC session by downloading a new plugin.(Citation: Prevx Carberp March 2011)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.(Citation: Prevx Carberp March 2011)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.