ATT&CK Group ID: G0008
Associated Groups: Anunak, Carbon Spider
Objectives: Carbanak is a threat group who has been found to manipulate financial assets, such as by transferring funds from bank accounts or by taking over ATM infrastructures and instructing them to dispense cash at predetermined time intervals.1 The group is reported to have been operating as early as 2013 and is still currently active (2021).2
Target Industries: Carbanak has targeted financial institutions and associated infrastructure. Geographically, Carbanak has compromised targets in over 30 countries, to include Russia, Germany, Ukraine, China, USA, Poland, Bulgaria, Brazil, Iceland, Spain, and more.6
Operations: Carbanak is known for persistence and operational patience, waiting before executing illicit funds transfers during their campaigns. Carbanak has taken advantage of system users by launching spearphishing attacks in order to get their malware on target. Carbanak has abused the trust of digital signatures by creating a fake identity in order to obtain valid certificates from a certification authority (CA)4 for their variant of the Anunak malware, which is also called Carbanak.7 In addition to custom malware, Carbanak has been known to use administrative tools native to the Windows environment, including PowerShell, WMI, and RDP.
Carbanak is reported to begin most breaches with spearphishing (T1566.001) and social engineering in order to get a legitimate user to download a Microsoft Word document with malicious files embedded in the document. These embedded files allow Carbanak to establish command and control. They are also known to host malicious files on Google Docs and PasteBin (T1101.002)4 to further expand their command and control. Once on target, Carbanak has been found to rely on using valid accounts (T1078) to perform most of their actions.6 The group is known to move laterally and escalate their privileges across networks to find critical systems that manage financial transactions.1 Carbanak has been found to target hosts that have specific banking software that would facilitate the illicit funds transfers.6 The group is reported to then establish persistence using Windows native tools, such as scheduled tasks (T1053.005) and auto-run services (T1543.003), or other non-malicious tools, such as VNC (T1021.005).4,8 From there, Carbanak is known to wait up to four months from initial access before stealing money,5 using this time to expand access and gather instructions for how to initiate the transfers.
Carbanak is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately.9 As such, activity attributed to FIN7 is beyond the scope of this emulation plan.
| Name | Associated Names | Software Type | Availability | Emulation Notes |
|---|---|---|---|---|
| Carbanak (S0030) | Anunak, Sekur, Carberp | Backdoor | Carbanak has used Carbanak as a post-exploitation tool to cement their foothold and maintain access to victim environments.6 | |
| GGLDR | Backdoor | Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.13 | ||
| Mimikatz (S0002) | Windows Credential Dumper | Openly Available | Carbanak has used Mimikatz to faciliate privilege escalation.6, 8 | |
| netsh (S0108) | System Administration | Present on Windows OS installations by default | Carbanak may use netsh to add local firewall rule exceptions.14 | |
| PsExec (S0029) | Remote Execution | Openly Available | Carbanak has used PsExec to support execution of remote commands10 |
The following behaviors are in scope for an emulation of actions attributed to Carbanak as referenced by MITRE ATT&CK and in the referenced reporting.
The following behaviors are in scope for an emulation of actions attributed to Carbanak, as implemented in Scenario 1, in the referenced reporting.
The following behaviors are in scope for an emulation of actions performed by the Carbanak group using Carbanak malware, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by Carbanak using netsh, exclusively based on current intelligence within ATT&CK for the given software.
The following behaviors are in scope for an emulation of actions performed by Carbanak using Mimikatz, exclusively based on current intelligence within ATT&CK for the given software.
The Intelligence Summary summarizes 19 publicly available sources, as well as the results of an open call for contributions. The following organizations participated in the community cyber threat intelligence contribution process:
- Microsoft