Carbanak (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.carbanak (Back to overview)

Carbanak

aka: Anunak, Sekur RAT

Actor(s): FIN7

VTCollection

MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

References

2024-11-18 ⋅ Kroll ⋅ Dave Truman, George Glass
CARBANAK (aka ANUNAK) Distributed via IDATLOADER (aka HIJACKLOADER)
Carbanak HijackLoader

2024-07-02 ⋅ Sekoia ⋅ Quentin Bourgue
Exposing FakeBat loader: distribution methods and adversary infrastructure
BlackCat Royal Ransom EugenLoader Carbanak Cobalt Strike DICELOADER Gozi IcedID Lumma Stealer NetSupportManager RAT Pikabot RedLine Stealer SectopRAT Sliver SmokeLoader Vidar

2023-12-13 ⋅ cocomelonc ⋅ cocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer

2022-12-22 ⋅ PRODAFT ⋅ PRODAFT
Fin7 Unveiled: A deep dive into notorious cybercrime gang
Carbanak

2022-07-30 ⋅ cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector

2022-07-18 ⋅ Palo Alto Networks Unit 42 ⋅ Unit 42
Mule Libra
Carbanak Cobalt

2022-05-09 ⋅ cocomelonc ⋅ cocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu

2022-04-27 ⋅ ⋅ ANSSI ⋅ ANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot

2022-04-22 ⋅ Mandiant ⋅ Mandiant
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
POWERTRASH Carbanak DICELOADER STONEBOAT

2022-04-04 ⋅ Mandiant ⋅ Brendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite

2021-09-06 ⋅ cocomelonc ⋅ cocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze

2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil

2021-06-02 ⋅ The Record ⋅ Catalin Cimpanu
Two Carbanak hackers sentenced to eight years in prison in Kazakhstan
Carbanak

2021-02-26 ⋅ CrowdStrike ⋅ Eric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil

2020-12-22 ⋅ TRUESEC ⋅ Mattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk

2020-09-01 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak FIN7

2020-07-31 ⋅ PRODAFT Threat Intelligence ⋅ PRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7

2020-03-23 ⋅ Kaspersky Labs ⋅ Félix Aime, Yury Namestnikov
Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak

2020-02-13 ⋅ Qianxin ⋅ Qi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7

2019-04-24 ⋅ FireEye ⋅ James T. Bennett, Michael Bailey
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak

2019-04-22 ⋅ FireEye ⋅ James T. Bennett, Michael Bailey
CARBANAK Week Part One: A Rare Occurrence
Carbanak

2018-10-01 ⋅ FireEye ⋅ Katie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot

2017-06-12 ⋅ FireEye ⋅ Barry Vengerik, James T. Bennett
Behind the CARBANAK Backdoor
Carbanak DRIFTPIN

2015-02-01 ⋅ Kaspersky SAS ⋅ GReAT
Carbanak APT: The Great Bank Robbery
Carbanak FIN7

Yara Rules

[TLP:WHITE] win_carbanak_auto (20241030 | Detects win.carbanak.)

rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.carbanak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e9???????? 3d2c5c0700 750a e8???????? e9???????? }
            // n = 5, score = 500
            //   e9????????           |                     
            //   3d2c5c0700           | cmp                 eax, 0x75c2c
            //   750a                 | jne                 0xc
            //   e8????????           |                     
            //   e9????????           |                     

        $sequence_1 = { 85c0 7509 e8???????? b001 }
            // n = 4, score = 500
            //   85c0                 | test                eax, eax
            //   7509                 | jne                 0xb
            //   e8????????           |                     
            //   b001                 | mov                 al, 1

        $sequence_2 = { 7c0d e8???????? 84c0 7504 33c0 }
            // n = 5, score = 500
            //   7c0d                 | jl                  0xf
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   7504                 | jne                 6
            //   33c0                 | xor                 eax, eax

        $sequence_3 = { 7907 32c0 e9???????? 7507 b001 }
            // n = 5, score = 500
            //   7907                 | jns                 9
            //   32c0                 | xor                 al, al
            //   e9????????           |                     
            //   7507                 | jne                 9
            //   b001                 | mov                 al, 1

        $sequence_4 = { ba31af8402 8d6b09 8bcd e8???????? 33d2 33c9 }
            // n = 6, score = 300
            //   ba31af8402           | mov                 edx, 0x284af31
            //   8d6b09               | lea                 ebp, [ebx + 9]
            //   8bcd                 | mov                 ecx, ebp
            //   e8????????           |                     
            //   33d2                 | xor                 edx, edx
            //   33c9                 | xor                 ecx, ecx

        $sequence_5 = { 450f44fc e8???????? 488b8d20010000 ffd0 488d4c2460 }
            // n = 5, score = 300
            //   450f44fc             | dec                 ecx
            //   e8????????           |                     
            //   488b8d20010000       | mov                 esi, eax
            //   ffd0                 | inc                 ecx
            //   488d4c2460           | or                  ecx, 0xffffffff

        $sequence_6 = { 4183c9ff 4d8bc7 488bc8 458d7921 418bd7 e8???????? }
            // n = 6, score = 300
            //   4183c9ff             | mov                 ebp, esp
            //   4d8bc7               | dec                 eax
            //   488bc8               | sub                 esp, 0x40
            //   458d7921             | inc                 ecx
            //   418bd7               | mov                 edi, ecx
            //   e8????????           |                     

        $sequence_7 = { 8b8614020000 8b4d10 83c40c 40 69c084000000 890c30 }
            // n = 6, score = 200
            //   8b8614020000         | add                 eax, 0x27
            //   8b4d10               | sub                 edx, ecx
            //   83c40c               | sub                 ecx, 0x1021
            //   40                   | mov                 eax, ecx
            //   69c084000000         | sar                 eax, 0xe
            //   890c30               | ret                 

        $sequence_8 = { e8???????? 8b00 8b7004 eb0b c6043e00 46 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8b00                 | je                  0xa
            //   8b7004               | test                eax, eax
            //   eb0b                 | jg                  7
            //   c6043e00             | add                 eax, 0x61
            //   46                   | jmp                 5

        $sequence_9 = { 8d8d2cfeffff e8???????? ff35???????? 8d45fc 50 e8???????? }
            // n = 6, score = 200
            //   8d8d2cfeffff         | lea                 eax, [ecx + 0x20]
            //   e8????????           |                     
            //   ff35????????         |                     
            //   8d45fc               | cmp                 al, 0x1f
            //   50                   | ja                  0xc
            //   e8????????           |                     

        $sequence_10 = { 56 8b7510 8bc6 83e001 83e602 57 }
            // n = 6, score = 200
            //   56                   | jne                 7
            //   8b7510               | mov                 eax, dword ptr [esi + 8]
            //   8bc6                 | jmp                 4
            //   83e001               | mov                 eax, ebx
            //   83e602               | call                eax
            //   57                   | cmp                 eax, 0xb7

    condition:
        7 of them and filesize < 658432
}

Download all Yara Rules

Carbanak Propose Change

References

Yara Rules

Carbanak