SYMBOLCOMMON_NAMEaka. SYNONYMS
win.carbanak (Back to overview)

Carbanak

aka: Anunak

Actor(s): Anunak, FIN7

There is no description at this point.

References
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-02The RecordCatalin Cimpanu
@online{cimpanu:20210602:two:5237d2e, author = {Catalin Cimpanu}, title = {{Two Carbanak hackers sentenced to eight years in prison in Kazakhstan}}, date = {2021-06-02}, organization = {The Record}, url = {https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/}, language = {English}, urldate = {2021-06-16} } Two Carbanak hackers sentenced to eight years in prison in Kazakhstan
Carbanak
2021-02-26CrowdStrikeEric Loui, Sergei Frankoff
@online{loui:20210226:hypervisor:8dadf9c, author = {Eric Loui and Sergei Frankoff}, title = {{Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact}}, date = {2021-02-26}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout}, language = {English}, urldate = {2021-05-26} } Hypervisor Jackpotting: CARBON SPIDER and SPRITE SPIDER Target ESXi Servers With Ransomware to Maximize Impact
DarkSide RansomEXX Griffon Carbanak Cobalt Strike DarkSide IcedID MimiKatz PyXie RansomEXX REvil
2020-12-22TRUESECMattias Wåhlén
@online{whln:20201222:collaboration:5d2ad28, author = {Mattias Wåhlén}, title = {{Collaboration between FIN7 and the RYUK group, a Truesec Investigation}}, date = {2020-12-22}, organization = {TRUESEC}, url = {https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/}, language = {English}, urldate = {2021-01-01} } Collaboration between FIN7 and the RYUK group, a Truesec Investigation
Carbanak Cobalt Strike Ryuk
2020-09-01threatintel.blogYusuf Arslan Polat
@online{polat:20200901:opblueraven:ca6fb44, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks}}, date = {2020-09-01}, organization = {threatintel.blog}, url = {https://threatintel.blog/OPBlueRaven-Part2/}, language = {English}, urldate = {2020-09-15} } OpBlueRaven: Unveiling Fin7/Carbanak - Part II : BadUSB Attacks
Bella Carbanak FIN7
2020-07-31PRODAFT Threat IntelligenceYusuf Arslan Polat
@online{polat:20200731:opblueraven:9e58e0c, author = {Yusuf Arslan Polat}, title = {{OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion}}, date = {2020-07-31}, organization = {PRODAFT Threat Intelligence}, url = {https://threatintel.blog/OPBlueRaven-Part1/}, language = {English}, urldate = {2020-08-05} } OpBlueRaven: Unveiling Fin7/Carbanak - Part 1 : Tirion
Carbanak REvil FIN7
2020-03-23Kaspersky LabsFélix Aime, Yury Namestnikov
@online{aime:20200323:fin7:66bea6f, author = {Félix Aime and Yury Namestnikov}, title = {{Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest}}, date = {2020-03-23}, organization = {Kaspersky Labs}, url = {https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest}, language = {English}, urldate = {2020-04-07} } Fin7 APT: how billion dollar crime ring remains active after leaders’ arrest
Carbanak
2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
2020SecureworksSecureWorks
@online{secureworks:2020:gold:97e5784, author = {SecureWorks}, title = {{GOLD NIAGARA}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/gold-niagara}, language = {English}, urldate = {2020-05-23} } GOLD NIAGARA
Bateleur Griffon Carbanak Cobalt Strike DRIFTPIN TinyMet FIN7
2019-04-24FireEyeJames T. Bennett, Michael Bailey
@online{bennett:20190424:carbanak:2376f75, author = {James T. Bennett and Michael Bailey}, title = {{CARBANAK Week Part Three: Behind the CARBANAK Backdoor}}, date = {2019-04-24}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part Three: Behind the CARBANAK Backdoor
Carbanak
2019-04-22FireEyeMichael Bailey, James T. Bennett
@online{bailey:20190422:carbanak:c94c9f1, author = {Michael Bailey and James T. Bennett}, title = {{CARBANAK Week Part One: A Rare Occurrence}}, date = {2019-04-22}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html}, language = {English}, urldate = {2019-12-20} } CARBANAK Week Part One: A Rare Occurrence
Carbanak
2018-10-01FireEyeRegina Elwell, Katie Nickels
@techreport{elwell:20181001:attcking:3c6d888, author = {Regina Elwell and Katie Nickels}, title = {{ATT&CKing FIN7}}, date = {2018-10-01}, institution = {FireEye}, url = {https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf}, language = {English}, urldate = {2020-06-25} } ATT&CKing FIN7
Bateleur BELLHOP Griffon ANTAK POWERPIPE POWERSOURCE HALFBAKED BABYMETAL Carbanak Cobalt Strike DNSMessenger DRIFTPIN PILLOWMINT SocksBot
2017-06-12FireEyeBarry Vengerik, James T. Bennett
@online{vengerik:20170612:behind:14b4edc, author = {Barry Vengerik and James T. Bennett}, title = {{Behind the CARBANAK Backdoor}}, date = {2017-06-12}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html}, language = {English}, urldate = {2019-12-20} } Behind the CARBANAK Backdoor
Carbanak DRIFTPIN
2015-02Kaspersky SASGReAT
@online{great:201502:carbanak:1b262fc, author = {GReAT}, title = {{Carbanak APT: The Great Bank Robbery}}, date = {2015-02}, organization = {Kaspersky SAS}, url = {https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe}, language = {English}, urldate = {2020-05-18} } Carbanak APT: The Great Bank Robbery
Carbanak FIN7
Yara Rules
[TLP:WHITE] win_carbanak_auto (20210616 | Detects win.carbanak.)
rule win_carbanak_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.carbanak."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b8190060000 69c0a8000000 50 51 8bce e8???????? 8b450c }
            // n = 7, score = 200
            //   8b8190060000         | mov                 eax, dword ptr [ecx + 0x690]
            //   69c0a8000000         | imul                eax, eax, 0xa8
            //   50                   | push                eax
            //   51                   | push                ecx
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]

        $sequence_1 = { 8bd8 59 3bdf 7f44 8d4f01 51 e8???????? }
            // n = 7, score = 200
            //   8bd8                 | mov                 ebx, eax
            //   59                   | pop                 ecx
            //   3bdf                 | cmp                 ebx, edi
            //   7f44                 | jg                  0x46
            //   8d4f01               | lea                 ecx, dword ptr [edi + 1]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_2 = { 50 6aff ff7508 33db e8???????? 83c410 8d45b8 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   6aff                 | push                -1
            //   ff7508               | push                dword ptr [ebp + 8]
            //   33db                 | xor                 ebx, ebx
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8d45b8               | lea                 eax, dword ptr [ebp - 0x48]

        $sequence_3 = { 89be2c010000 897d08 6a04 8d4508 8dbe28010000 50 8bcf }
            // n = 7, score = 200
            //   89be2c010000         | mov                 dword ptr [esi + 0x12c], edi
            //   897d08               | mov                 dword ptr [ebp + 8], edi
            //   6a04                 | push                4
            //   8d4508               | lea                 eax, dword ptr [ebp + 8]
            //   8dbe28010000         | lea                 edi, dword ptr [esi + 0x128]
            //   50                   | push                eax
            //   8bcf                 | mov                 ecx, edi

        $sequence_4 = { 83f812 0f95c3 33c0 894508 83c306 394744 }
            // n = 6, score = 200
            //   83f812               | cmp                 eax, 0x12
            //   0f95c3               | setne               bl
            //   33c0                 | xor                 eax, eax
            //   894508               | mov                 dword ptr [ebp + 8], eax
            //   83c306               | add                 ebx, 6
            //   394744               | cmp                 dword ptr [edi + 0x44], eax

        $sequence_5 = { 8b07 56 ff750c 03c3 50 e8???????? 8b4d10 }
            // n = 7, score = 200
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   56                   | push                esi
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   03c3                 | add                 eax, ebx
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]

        $sequence_6 = { 56 51 e8???????? 83c40c a1???????? 47 3b7de0 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   a1????????           |                     
            //   47                   | inc                 edi
            //   3b7de0               | cmp                 edi, dword ptr [ebp - 0x20]

        $sequence_7 = { 8d4dc0 e8???????? 8d8d78ffffff e8???????? 5b 33c0 c9 }
            // n = 7, score = 200
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]
            //   e8????????           |                     
            //   8d8d78ffffff         | lea                 ecx, dword ptr [ebp - 0x88]
            //   e8????????           |                     
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax
            //   c9                   | leave               

        $sequence_8 = { 740b 8b01 8945f0 3b06 75ca eb08 8b7df0 }
            // n = 7, score = 200
            //   740b                 | je                  0xd
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   8945f0               | mov                 dword ptr [ebp - 0x10], eax
            //   3b06                 | cmp                 eax, dword ptr [esi]
            //   75ca                 | jne                 0xffffffcc
            //   eb08                 | jmp                 0xa
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]

        $sequence_9 = { 51 e8???????? 83c40c a1???????? 47 3b7de0 7c9f }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   a1????????           |                     
            //   47                   | inc                 edi
            //   3b7de0               | cmp                 edi, dword ptr [ebp - 0x20]
            //   7c9f                 | jl                  0xffffffa1

    condition:
        7 of them and filesize < 425984
}
Download all Yara Rules