Skip to content

Latest commit

 

History

History
111 lines (75 loc) · 13.9 KB

Intelligence_Summary.md

File metadata and controls

111 lines (75 loc) · 13.9 KB

Carbanak Intelligence Summary

ATT&CK Group ID: G0008

Associated Groups: Anunak, Carbon Spider

Objectives: Carbanak is a threat group who has been found to manipulate financial assets, such as by transferring funds from bank accounts or by taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals.1 The group is reported to have been operating as early as 2013 and is still currently active (2021).2

Target Industries: Carbanak has targeted financial institutions and associated infrastructure. Geographically, Carbanak has compromised targets in over 30 countries, to include Russia, Germany, Ukraine, China, USA, Poland, Bulgaria, Brazil, Iceland, Spain, and more.6

Operations: Carbanak is known for persistence and operational patience, waiting before executing illicit funds transfers during their campaigns. Carbanak has taken advantage of system users by launching spearphishing attacks in order to get their malware on target. Carbanak has abused the trust of digital signatures by creating a fake identity in order to obtain valid certificates from a certification authority (CA)4 for their variant of the Anunak malware, which is also called Carbanak.7 In addition to custom malware, Carbanak has been known to use administrative tools native to the Windows environment, including PowerShell, WMI, and RDP.

Carbanak is reported to begin most breaches with spearphishing (T1566.001) and social engineering in order to get a legitimate user to download a Microsoft Word document with malicious files embedded in the document. These embedded files allow Carbanak to establish command and control. They are also known to host malicious files on Google Docs and PasteBin (T1101.002)4 to further expand their command and control. Once on target, Carbanak has been found to rely on using valid accounts (T1078) to perform most of their actions.6 The group is known to move laterally and escalate their privileges across networks to find critical systems that manage financial transactions.1 Carbanak has been found to target hosts that have specific banking software that would facilitate the illicit funds transfers.6 The group is reported to then establish persistence using Windows native tools, such as scheduled tasks (T1053.005) and auto-run services (T1543.003), or other non-malicious tools, such as VNC (T1021.005).4,8 From there, Carbanak is known to wait up to four months from initial access before stealing money,5 using this time to expand access and gather instructions for how to initiate the transfers.

Carbanak is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.9 As such, activity attributed to FIN7 is beyond the scope of this emulation plan.


Software

Name Associated Names Software Type Availability Emulation Notes
Carbanak (S0030) Anunak, Sekur, Carberp Backdoor Carbanak has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.6
GGLDR Backdoor Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.13
Mimikatz (S0002) Windows Credential Dumper Openly Available Carbanak has used Mimikatz to faciliate privilege escalation.6, 8
netsh (S0108) System Administration Present on Windows OS installations by default Carbanak may use netsh to add local firewall rule exceptions.14
PsExec (S0029) Remote Execution Openly Available Carbanak has used PsExec to support execution of remote commands10

Carbanak ATT&CK Navigator

The following behaviors are in scope for an emulation of actions attributed to Carbanak as referenced by MITRE ATT&CK and in the referenced reporting.

/Attack_Layers/Carbanak_G0008.png

The following behaviors are in scope for an emulation of actions attributed to Carbanak, as implemented in Scenario 1, in the referenced reporting.

/Attack_Layers/Carbanak_Scenario1.png

The following behaviors are in scope for an emulation of actions performed by the Carbanak group using Carbanak malware, exclusively based on current intelligence within ATT&CK for the given software.

/Attack_Layers/Carbanak_S0030.png

The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software.

/Attack_Layers/Mimikatz_S0002.png

The following behaviors are in scope for an emulation of actions performed by Carbanak using netsh, exclusively based on current intelligence within ATT&CK for the given software.

/Attack_Layers/netsh_S0108.png

The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software.

/Attack_Layers/PsExec_S0029.png

References

The Intelligence Summary summarizes 19 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:

  • Microsoft
ID Source Publisher Date
1 An APT Blueprint: Gaining New Visibility into Financial Threats Bitdefender May 2019
2 Alleged Mastermind Behind Carbanak Crime Gang Arrested threatpost March 2018
3 Arrests Put New Focus on Carbon Spider Adversary Group CrowdStrike August 2018
4 Operation Grand Mars: a comprehensive profile of Carbanak activity in 2016/17 Trustwave January 2017
5 The Great Bank Robbery: the Carbanak APT Kaspersky February 2015
6 Carbanak APT: The Great Bank Robbery Kaspersky February 2015
7 Behind the Carbanak Backdoor FireEye June 2017
8 New Carbanak/Anunak Attack Methodology Trustwave November 2016
9 FIN7 Evolution and the Phishing LNK FireEye April 2017
10 The Shadows of Ghosts Carbanak RSA November 2017
11 The Carbanak/FIN7 Syndicate: A Historical Overview of an Evolving Threat RSA November 2017
12 Carbanak Continues To Evolve: Quietly Creeping into Remote Hosts Trustwave April 2017
13 Carbanak Group uses Google for malware command-and-control Forcepoint January 2017
14 Anunak: APT against financial institutions Group-IB & Fox-IT April 2014
15 Здравствуйтэ, Carbanak! A look inside the Carbanak source code FireEye October 2018
16 CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis FireEye April 2019
17 CARBANAK Week Part Four: The CARBANAK Desktop Video Player FireEye April 2019
18 Anatomy of an Attack: CARBANAK RSA December 2017
19 Cyberthreats to financial institutions 2020: Overview and predictions Kaspersky December 2019

Additional Plan Resources