ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Carbanak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Carbanak

NamesCarbanak
Anunak
Sekur
CategoryMalware
TypeReconnaissance, Backdoor
Description(Kaspersky) Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload. This section provides a functional analysis of Carbanak’s capabilities.

Carbanak copies itself into “%system32%\com” with the name “svchost.exe” with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

To ensure that Carbanak has autorun privileges the malware creates a new service. The naming syntax is “Sys” where ServiceName is any existing service randomly chosen, with the first character deleted. For example, if the existing service ́s name is “aspnet” and the visible name is “Asp.net state service”, the service created by the malware would be “aspnetSys” with a visible name of “Sp.net state service”.

Before creating the malicious service, Carbanak determines if either the avp.exe or avpui.exe processes (components of Kaspersky Internet Security) is running. If found on the target system, Carbanak will try to exploit a known vulnerability in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8, and Windows Server 2012, CVE-2013-3660, for local privilege escalation. We believe this is not relevant and that the attackers adapt their tools to the victim ́s defenses.
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf>
<https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html>
<https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html>
<https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
MITRE ATT&CK<https://attack.mitre.org/software/S0030/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak>

Last change to this tool card: 24 May 2020

Download this tool card in JSON format

All groups using tool Carbanak

ChangedNameCountryObserved

APT groups

 Carbanak, AnunakUkraine2013-Aug 2021 HOTX
 FIN7Russia2013-Jun 2021 HOTX

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key