SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak

Actor(s): Anunak

There is no description at this point.

References
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-03-02} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
RansomEXX Griffon Carbanak Cobalt Strike IcedID MimiKatz PyXie RansomEXX REvil
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-09-01threatintel.blogYusuf Arslan Polat
@online{polat:20200901:opblueraven:ca6fb44, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks}}, date = {2020-09-01}, organization = {threatintel.blog}, url = {https://threatintel.blog/OPBlueRaven-Part2/}, language = {English}, urldate = {2020-09-15} } OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak Anunak
2020-07-31PRODAFT Threat IntelligenceYusuf Arslan Polat
@online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil Anunak
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
@online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet Anunak
2019-04-24FireEyeJames T. Bennett, Michael Bailey
@online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeMichael Bailey, James T. Bennett
@online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
@online{vengerik:20170612:behind:14b4edc, author = {Barry Vengerik and James T. Bennett}, title = {{Behind the CARBANAK Backdoor}}, date = {2017-06-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html}, language = {English}, urldate = {2019-12-20} } Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02Kaspersky SASGReAT
@online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } Carbanak APT: The Great Bank Robbery
Carbanak Anunak
Yara Rules
[TLP:WHITE] win_carbanak_auto (20201023 | autogenerated rule brought to you by yara-signator)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-12-22"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20201222"
        malpedia_hash = "30354d830a29f0fbd3714d93d94dea941d77a130"
        malpedia_version = "20201023"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bec 8b4508 33c9 51 51 51 ff7004 }
            // n = 7, score = 200
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   33c9                 | xor                 ecx, ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   51                   | push                ecx
            //   ff7004               | push                dword ptr [eax + 4]

        $sequence_1 = { ff35???????? 8d45d0 50 e8???????? 83c418 8d45b0 ff750c }
            // n = 7, score = 200
            //   ff35????????         |                     
            //   8d45d0               | lea                 eax, [ebp - 0x30]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c418               | add                 esp, 0x18
            //   8d45b0               | lea                 eax, [ebp - 0x50]
            //   ff750c               | push                dword ptr [ebp + 0xc]

        $sequence_2 = { 83c40c 85c0 0f843a010000 8d8560ffffff 8945f0 8b45c4 8945e8 }
            // n = 7, score = 200
            //   83c40c               | add                 esp, 0xc
            //   85c0                 | test                eax, eax
            //   0f843a010000         | je                  0x140
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   8b45c4               | mov                 eax, dword ptr [ebp - 0x3c]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax

        $sequence_3 = { a1???????? 8b0d???????? 8b15???????? eb22 8b15???????? 8b0d???????? a1???????? }
            // n = 7, score = 200
            //   a1????????           |                     
            //   8b0d????????         |                     
            //   8b15????????         |                     
            //   eb22                 | jmp                 0x24
            //   8b15????????         |                     
            //   8b0d????????         |                     
            //   a1????????           |                     

        $sequence_4 = { e8???????? 59 59 8945f4 85c0 7508 83c8ff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   85c0                 | test                eax, eax
            //   7508                 | jne                 0xa
            //   83c8ff               | or                  eax, 0xffffffff

        $sequence_5 = { e8???????? 59 59 ffd0 8b45fc 5e }
            // n = 6, score = 200
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ffd0                 | call                eax
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   5e                   | pop                 esi

        $sequence_6 = { bb???????? 85c0 7e22 ba???????? 3932 740d 41 }
            // n = 7, score = 200
            //   bb????????           |                     
            //   85c0                 | test                eax, eax
            //   7e22                 | jle                 0x24
            //   ba????????           |                     
            //   3932                 | cmp                 dword ptr [edx], esi
            //   740d                 | je                  0xf
            //   41                   | inc                 ecx

        $sequence_7 = { 8b5604 48 3bd0 7d14 8b0e 8a4508 88040a }
            // n = 7, score = 200
            //   8b5604               | mov                 edx, dword ptr [esi + 4]
            //   48                   | dec                 eax
            //   3bd0                 | cmp                 edx, eax
            //   7d14                 | jge                 0x16
            //   8b0e                 | mov                 ecx, dword ptr [esi]
            //   8a4508               | mov                 al, byte ptr [ebp + 8]
            //   88040a               | mov                 byte ptr [edx + ecx], al

        $sequence_8 = { 56 68???????? 50 be031d3c0b 56 57 e8???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   68????????           |                     
            //   50                   | push                eax
            //   be031d3c0b           | mov                 esi, 0xb3c1d03
            //   56                   | push                esi
            //   57                   | push                edi
            //   e8????????           |                     

        $sequence_9 = { 8d45f0 50 e8???????? ff75f4 ff75f0 6a00 }
            // n = 6, score = 200
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   ff75f4               | push                dword ptr [ebp - 0xc]
            //   ff75f0               | push                dword ptr [ebp - 0x10]
            //   6a00                 | push                0

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules