ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Report
Search
Home > List all groups > List all tools > List all groups using tool Carbanak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Carbanak

NamesCarbanak
Anunak
Sekur
Sekur RAT
CategoryMalware
TypeReconnaissance, Backdoor
Description(Kaspersky) Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload. This section provides a functional analysis of Carbanak’s capabilities.

Carbanak copies itself into “%system32%\com” with the name “svchost.exe” with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

To ensure that Carbanak has autorun privileges the malware creates a new service. The naming syntax is “Sys” where ServiceName is any existing service randomly chosen, with the first character deleted. For example, if the existing service ́s name is “aspnet” and the visible name is “Asp.net state service”, the service created by the malware would be “aspnetSys” with a visible name of “Sp.net state service”.

Before creating the malicious service, Carbanak determines if either the avp.exe or avpui.exe processes (components of Kaspersky Internet Security) is running. If found on the target system, Carbanak will try to exploit a known vulnerability in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8, and Windows Server 2012, CVE-2013-3660, for local privilege escalation. We believe this is not relevant and that the attackers adapt their tools to the victim ́s defenses.
Information<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf>
<https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html>
<https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html>
<https://www.fox-it.com/en/wp-content/uploads/sites/11/Anunak_APT-against-financial-institutions2.pdf>
<https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf>
<https://thehackernews.com/2023/12/carbanak-banking-malware-resurfaces.html>
MITRE ATT&CK<https://attack.mitre.org/software/S0030/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak>

Last change to this tool card: 16 January 2024

Download this tool card in JSON format

Previous: CapturaTela
Next: CarbonSteal

All groups using tool Carbanak

ChangedNameCountryObserved

APT groups

 Carbanak, AnunakUkraine2013-Apr 2023X
XFIN7Russia2013-Jul 2024X

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents
Telephone +66 (0)2-123-1227
E-mail [email protected]