SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak, Sekur RAT

Actor(s): FIN7


MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

References
2022-12-22PRODAFTPRODAFT
@techreport{prodaft:20221222:fin7:d005722, author = {PRODAFT}, title = {{Fin7 Unveiled: A deep dive into notorious cybercrime gang}}, date = {2022-12-22}, institution = {PRODAFT}, url = {https://www.prodaft.com/m/reports/FIN7_TLPCLEAR.pdf}, language = {English}, urldate = {2023-01-05} } Fin7 Unveiled: A deep dive into notorious cybercrime gang
Carbanak
2022-07-30cocomelonc
@online{cocomelonc:20220730:malware:0f84be1, author = {cocomelonc}, title = {{Malware AV evasion - part 8. Encode payload via Z85}}, date = {2022-07-30}, url = {https://cocomelonc.github.io/malware/2022/07/30/malware-av-evasion-8.html}, language = {English}, urldate = {2022-12-01} } Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:mule:e63194d, author = {Unit 42}, title = {{Mule Libra}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/mulelibra/}, language = {English}, urldate = {2022-07-29} } Mule Libra
Carbanak Cobalt
2022-05-09cocomelonccocomelonc
@online{cocomelonc:20220509:malware:1cdee23, author = {cocomelonc}, title = {{Malware development: persistence - part 4. Windows services. Simple C++ example.}}, date = {2022-05-09}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/09/malware-pers-4.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-27ANSSIANSSI
@techreport{anssi:20220427:le:5d47343, author = {ANSSI}, title = {{LE GROUPE CYBERCRIMINEL FIN7}}, date = {2022-04-27}, institution = {ANSSI}, url = {https://cert.ssi.gouv.fr/uploads/20220427_NP_TLPWHITE_ANSSI_FIN7.pdf}, language = {French}, urldate = {2022-05-05} } LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-04MandiantBryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2021-09-06cocomelonccocomelonc
@online{cocomelonc:20210906:av:215e5aa, author = {cocomelonc}, title = {{AV engines evasion for C++ simple malware: part 2}}, date = {2021-09-06}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2021/09/06/simple-malware-av-evasion-2.html}, language = {English}, urldate = {2022-11-28} } AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze Unidentified 090 (Lazarus)
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-02The RecordCatalin Cimpanu
@online{cimpanu:20210602:two:5237d2e, author = {Catalin Cimpanu}, title = {{Two Carbanak hackers sentenced to eight years in prison in Kazakhstan}}, date = {2021-06-02}, organization = {The Record}, url = {https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/}, language = {English}, urldate = {2021-06-16} } Two Carbanak hackers sentenced to eight years in prison in Kazakhstan
Carbanak
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-09-01PRODAFT Threat IntelligencePRODAFT
@online{prodaft:20200901:opblueraven:ca6fb44, author = {PRODAFT}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks}}, date = {2020-09-01}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part2/}, language = {English}, urldate = {2022-03-23} } OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak FIN7
2020-07-31PRODAFT Threat IntelligencePRODAFT
@online{prodaft:20200731:opblueraven:9e58e0c, author = {PRODAFT}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2022-03-23} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
@online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-04-24FireEyeJames T. Bennett, Michael Bailey
@online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeMichael Bailey, James T. Bennett
@online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
@online{vengerik:20170612:behind:14b4edc, author = {Barry Vengerik and James T. Bennett}, title = {{Behind the CARBANAK Backdoor}}, date = {2017-06-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html}, language = {English}, urldate = {2019-12-20} } Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02Kaspersky SASGReAT
@online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } Carbanak APT: The Great Bank Robbery
Carbanak FIN7
Yara Rules
[TLP:WHITE] win_carbanak_auto (20230125 | Detects win.carbanak.)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.carbanak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 68???????? 68???????? 6863c4f404 6a02 e8???????? 59 59 }
            // n = 7, score = 200
            //   68????????           |                     
            //   68????????           |                     
            //   6863c4f404           | push                0x4f4c463
            //   6a02                 | push                2
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx

        $sequence_1 = { 85c0 7906 8b4604 8945f8 50 ff75f4 ff36 }
            // n = 7, score = 200
            //   85c0                 | test                eax, eax
            //   7906                 | jns                 8
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   50                   | push                eax
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff36                 | push                dword ptr [esi]

        $sequence_2 = { 59 59 50 68f1f0ad0a 56 e8???????? 59 }
            // n = 7, score = 200
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   50                   | push                eax
            //   68f1f0ad0a           | push                0xaadf0f1
            //   56                   | push                esi
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_3 = { 03c1 50 51 e8???????? 83c40c 897704 5e }
            // n = 7, score = 200
            //   03c1                 | add                 eax, ecx
            //   50                   | push                eax
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   897704               | mov                 dword ptr [edi + 4], esi
            //   5e                   | pop                 esi

        $sequence_4 = { 8987d0000000 33db 43 8b45f8 40 8945f8 3b45dc }
            // n = 7, score = 200
            //   8987d0000000         | mov                 dword ptr [edi + 0xd0], eax
            //   33db                 | xor                 ebx, ebx
            //   43                   | inc                 ebx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   40                   | inc                 eax
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   3b45dc               | cmp                 eax, dword ptr [ebp - 0x24]

        $sequence_5 = { ff7508 8ad8 e8???????? 83c418 84db 5b }
            // n = 6, score = 200
            //   ff7508               | push                dword ptr [ebp + 8]
            //   8ad8                 | mov                 bl, al
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   84db                 | test                bl, bl
            //   5b                   | pop                 ebx

        $sequence_6 = { 681189d60a 53 e8???????? 59 59 ffd0 8906 }
            // n = 7, score = 200
            //   681189d60a           | push                0xad68911
            //   53                   | push                ebx
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax
            //   8906                 | mov                 dword ptr [esi], eax

        $sequence_7 = { 807c08ff00 7408 49 807c08ff00 75f8 2bf1 }
            // n = 6, score = 200
            //   807c08ff00           | cmp                 byte ptr [eax + ecx - 1], 0
            //   7408                 | je                  0xa
            //   49                   | dec                 ecx
            //   807c08ff00           | cmp                 byte ptr [eax + ecx - 1], 0
            //   75f8                 | jne                 0xfffffffa
            //   2bf1                 | sub                 esi, ecx

        $sequence_8 = { 58 51 668945e0 ff15???????? 8365e400 668945e2 8d45f8 }
            // n = 7, score = 200
            //   58                   | pop                 eax
            //   51                   | push                ecx
            //   668945e0             | mov                 word ptr [ebp - 0x20], ax
            //   ff15????????         |                     
            //   8365e400             | and                 dword ptr [ebp - 0x1c], 0
            //   668945e2             | mov                 word ptr [ebp - 0x1e], ax
            //   8d45f8               | lea                 eax, [ebp - 8]

        $sequence_9 = { 8b06 c6040100 8bc6 5e 5d c20400 55 }
            // n = 7, score = 200
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   c6040100             | mov                 byte ptr [ecx + eax], 0
            //   8bc6                 | mov                 eax, esi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules