ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > Carbanak, Anunak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Carbanak, Anunak

NamesCarbanak (Kaspersky)
Anunak (Group-IB)
Carbon Spider (CrowdStrike)
CountryUkraine Ukraine
MotivationFinancial crime, Financial gain
First seen2013
DescriptionCarbanak is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.

(Kaspersky) From late 2013 onwards, several banks and financial institutions have been attacked by an unknown group of cybercriminals. In all these attacks, a similar modus operandi was used. According to victims and the law enforcement agencies (LEAs) involved in the investigation, this could result in cumulative losses of up to 1 billion USD. The attacks are still active. This report provides a technical analysis of these attacks. The motivation for the attackers, who are making use of techniques commonly seen in Advanced Persistent Threats (APTs), appears to be financial gain as opposed to espionage. An analysis of the campaign has revealed that the initial infections were achieved using spear phishing emails that appeared to be legitimate banking communications, with Microsoft Word 97 – 2003 (.doc) and Control Panel Applet (.CPL) files attached. We believe that the attackers also redirected to exploit kits website traffic that related to financial activity.
ObservedSectors: Financial, Hospitality.
Countries: Australia, Austria, Brazil, Bulgaria, Canada, China, Czech, France, Germany, Hong Kong, Iceland, India, Luxembourg, Morocco, Nepal, Norway, Pakistan, Poland, Russia, Spain, Sweden, Switzerland, Taiwan, UK, Ukraine, USA, Uzbekistan.
Tools usedAntak, Ave Maria, BABYMETAL, Backdoor Batel, Bateleur, BELLHOP, Boostwrite, Cain & Abel, Carbanak, Cobalt Strike, DarkSide, DNSMessenger, DNSRat, DRIFTPIN, FlawedAmmyy, Griffon, HALFBAKED, Harpy, JS Flash, KLRD, Mimikatz, MBR Eraser, Odinaff, POWERPIPE, POWERSOURCE, PsExec, SocksBot, SoftPerfect Network Scanner, SQLRAT, TeamViewer, TinyMet.
Operations performedAug 2020DarkSide: New targeted ransomware demands million dollar ransoms
<https://www.bleepingcomputer.com/news/security/darkside-new-targeted-ransomware-demands-million-dollar-ransoms/>
Aug 2020DarkSide Ransomware hits North American real estate developer
<https://www.bleepingcomputer.com/news/security/darkside-ransomware-hits-north-american-real-estate-developer/>
Oct 2020Ransomware gang donates part of ransom demands to charity organizations
<https://www.zdnet.com/article/ransomware-gang-donates-part-of-ransom-demands-to-charity-organizations/>
Nov 2020Darkside Ransomware Gang Launches Affiliate Program
<https://www.bankinfosecurity.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968>
Nov 2020DarkSide Ransomware Group Makes New Storage System
<https://www.binarydefense.com/threat_watch/darkside-ransomware-group-makes-new-storage-system/>
Feb 2021Leading Canadian rental car company hit by DarkSide ransomware
<https://www.bleepingcomputer.com/news/security/leading-canadian-rental-car-company-hit-by-darkside-ransomware/>
Feb 2021Eletrobras, Copel energy companies hit by ransomware attacks
<https://www.bleepingcomputer.com/news/security/eletrobras-copel-energy-companies-hit-by-ransomware-attacks/>
Feb 2021Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
<https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/>
Mar 2021Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds
<https://www.infosecurity-magazine.com/news/darkside-20-ransomware-fastest/>
Mar 2021CompuCom MSP hit by DarkSide ransomware cyberattack
<https://www.bleepingcomputer.com/news/security/compucom-msp-hit-by-darkside-ransomware-cyberattack/>
Apr 2021Canadian retailer Home Hardware hit by ransomware
<https://financialpost.com/technology/tech-news/canadian-retailer-home-hardware-hit-by-ransomware>
Apr 2021Ransomware gang wants to short the stock price of their victims
<https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/>
Counter operationsMar 2018Mastermind behind EUR 1 billion cyber bank robbery arrested in Spain
<https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain>
Aug 2018Three Carbanak cyber heist gang members arrested
<https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested>
Jan 2021Darkside Ransomware Decryption Tool
<https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/>
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf>
<https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf>
<https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf>
<https://www.databreaches.net/a-chat-with-darkside/>
MITRE ATT&CK<https://attack.mitre.org/groups/G0008/>

Last change to this card: 23 April 2021

Download this actor card in PDF or JSON format

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key