Carberp
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Carberp has connected to C2 servers via HTTP.(Citation: Trusteer Carberp October 2010) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Carberp has maintained persistence by placing itself inside the current user's startup folder.(Citation: Prevx Carberp March 2011) |
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.(Citation: Prevx Carberp March 2011) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Carberp has created a hidden file in the Startup folder of the current user.(Citation: Trusteer Carberp October 2010) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.(Citation: Prevx Carberp March 2011) |
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Carberp has hooked several Windows API functions to steal credentials.(Citation: Prevx Carberp March 2011) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".(Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010) |
| Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
Carberp has installed a bootkit on the system to maintain persistence.(Citation: ESET Carberp March 2012) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Carberp's bootkit can inject a malicious DLL into the address space of running processes.(Citation: ESET Carberp March 2012) |
| .004 | Process Injection: Asynchronous Procedure Call |
Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.(Citation: Prevx Carberp March 2011) |
||
| Enterprise | T1021 | .005 | Remote Services: VNC |
Carberp can start a remote VNC session by downloading a new plugin.(Citation: Prevx Carberp March 2011) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.(Citation: Prevx Carberp March 2011) |
References
- Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.
- RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.
- Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.