SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak, Sekur RAT

Actor(s): FIN7

VTCollection    

MyCERT states that Carbanak is a remote backdoor designed for espionage, data exfiltration, and to remote control.

The attacker deploy malware via spear phishing email to lure the user to open and run the malicious attachment that will infect the machine. The main objective of this campaign is primarily to remotely control the infected machine and gain control of the internal destinations of money processing services such as Automated Teller Machines(ATM) and financial accounts. The following information are the malware capabilities:

References
2023-12-13cocomelonccocomelonc
Malware in the wild book
AsyncRAT Babuk BlackCat BlackLotus Carbanak HelloKitty Paradise Stealc WinDealer
2022-12-22PRODAFTPRODAFT
Fin7 Unveiled: A deep dive into notorious cybercrime gang
Carbanak
2022-07-30cocomelonc
Malware AV evasion - part 8. Encode payload via Z85
Agent Tesla Carbanak Carberp Cardinal RAT Cobalt Strike donut_injector
2022-07-18Palo Alto Networks Unit 42Unit 42
Mule Libra
Carbanak Cobalt
2022-05-09cocomelonccocomelonc
Malware development: persistence - part 4. Windows services. Simple C++ example.
Anchor AppleJeus Attor BBSRAT BlackEnergy Carbanak Cobalt Strike DuQu
2022-04-27ANSSIANSSI
LE GROUPE CYBERCRIMINEL FIN7
Bateleur BELLHOP Griffon SQLRat POWERSOURCE Andromeda BABYMETAL BlackCat BlackMatter BOOSTWRITE Carbanak Cobalt Strike DNSMessenger Dridex DRIFTPIN Gameover P2P MimiKatz Murofet Qadars Ranbyus SocksBot
2022-04-22MandiantMandiant
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
POWERTRASH Carbanak DICELOADER STONEBOAT
2022-04-04MandiantBrendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2021-09-06cocomelonccocomelonc
AV engines evasion for C++ simple malware: part 2
Agent Tesla Amadey Anchor AnchorMTea Carbanak Carberp Cardinal RAT Felixroot Konni Loki Password Stealer (PWS) Maze
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-02The RecordCatalin Cimpanu
Two Carbanak hackers sentenced to eight years in prison in Kazakhstan
Carbanak
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2020-12-22TRUESECMattias Wåhlén
Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-09-01PRODAFT Threat IntelligencePRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak FIN7
2020-07-31PRODAFT Threat IntelligencePRODAFT
OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
APT Report 2019
Chrysaor Exodus Dacls VPNFilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020-01-01SecureworksSecureWorks
GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-04-24FireEyeJames T. Bennett, Michael Bailey
CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeJames T. Bennett, Michael Bailey
CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeKatie Nickels, Regina Elwell
ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02-01Kaspersky SASGReAT
Carbanak APT: The Great Bank Robbery
Carbanak FIN7
Yara Rules
[TLP:WHITE] win_carbanak_auto (20230808 | Detects win.carbanak.)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.carbanak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 7f05 83c061 eb03 83c027 }
            // n = 4, score = 500
            //   7f05                 | arpl                word ptr [ecx + 0x10], cx
            //   83c061               | push                edi
            //   eb03                 | dec                 eax
            //   83c027               | sub                 esp, 0x20

        $sequence_1 = { 7907 32c0 e9???????? 7507 b001 }
            // n = 5, score = 500
            //   7907                 | cmp                 eax, 0x100
            //   32c0                 | jne                 0xff8
            //   e9????????           |                     
            //   7507                 | dec                 eax
            //   b001                 | lea                 ecx, [esp + 0x20]

        $sequence_2 = { 32c0 e9???????? 7507 b001 }
            // n = 4, score = 500
            //   32c0                 | mov                 edx, eax
            //   e9????????           |                     
            //   7507                 | sub                 eax, dword ptr [ecx + 4]
            //   b001                 | cmp                 eax, dword ptr [ebp + 8]

        $sequence_3 = { 2bd1 81e921100000 8bc1 c1f80e 0cc0 }
            // n = 5, score = 500
            //   2bd1                 | inc                 ecx
            //   81e921100000         | mov                 eax, 0xf01ff
            //   8bc1                 | dec                 eax
            //   c1f80e               | mov                 edx, esi
            //   0cc0                 | dec                 eax

        $sequence_4 = { 8b4608 eb02 8bc3 85c0 }
            // n = 4, score = 500
            //   8b4608               | mov                 eax, dword ptr [ebp - 4]
            //   eb02                 | jge                 0x176b
            //   8bc3                 | mov                 edi, dword ptr [ebp + 0x10]
            //   85c0                 | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_5 = { c3 8d4120 3c1f 7705 0fb6c1 }
            // n = 5, score = 500
            //   c3                   | push                ecx
            //   8d4120               | mov                 ecx, eax
            //   3c1f                 | je                  0x124
            //   7705                 | push                5
            //   0fb6c1               | push                dword ptr [ebp - 0x114]

        $sequence_6 = { 7c0d e8???????? 84c0 7504 }
            // n = 4, score = 500
            //   7c0d                 | push                0x4c
            //   e8????????           |                     
            //   84c0                 | push                0
            //   7504                 | push                ebp

        $sequence_7 = { 7c0d e8???????? 84c0 7504 33c0 }
            // n = 5, score = 500
            //   7c0d                 | dec                 eax
            //   e8????????           |                     
            //   84c0                 | lea                 ecx, [esp + 0x30]
            //   7504                 | inc                 esp
            //   33c0                 | mov                 eax, dword ptr [eax + 0x34]

        $sequence_8 = { e9???????? 3d2c5c0700 750a e8???????? }
            // n = 4, score = 500
            //   e9????????           |                     
            //   3d2c5c0700           | dec                 esi
            //   750a                 | mov                 dword ptr [ebp - 8], esi
            //   e8????????           |                     

        $sequence_9 = { 3d2c5c0700 750a e8???????? e9???????? }
            // n = 4, score = 500
            //   3d2c5c0700           | cmp                 dword ptr [ebp + 0x67], edi
            //   750a                 | jle                 0xfd
            //   e8????????           |                     
            //   e9????????           |                     

    condition:
        7 of them and filesize < 658432
}
Download all Yara Rules