ETDA สำนักงานพัฒนาธุรกรรมทางอิเล็กทรอนิกส์
Electronic Transactions Development Agency
Home > List all groups > List all tools > List all groups using tool Carbanak

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Carbanak

TypeReconnaissance, Backdoor
Description(Kaspersky) Carbanak is a backdoor used by the attackers to compromise the victim's machine once the exploit, either in the spear phishing email or exploit kit, successfully executes its payload. This section provides a functional analysis of Carbanak’s capabilities.

Carbanak copies itself into “%system32%\com” with the name “svchost.exe” with the file attributes: system, hidden and read-only. The original file created by the exploit payload is then deleted.

To ensure that Carbanak has autorun privileges the malware creates a new service. The naming syntax is “Sys” where ServiceName is any existing service randomly chosen, with the first character deleted. For example, if the existing service ́s name is “aspnet” and the visible name is “ state service”, the service created by the malware would be “aspnetSys” with a visible name of “ state service”.

Before creating the malicious service, Carbanak determines if either the avp.exe or avpui.exe processes (components of Kaspersky Internet Security) is running. If found on the target system, Carbanak will try to exploit a known vulnerability in Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 8, and Windows Server 2012, CVE-2013-3660, for local privilege escalation. We believe this is not relevant and that the attackers adapt their tools to the victim ́s defenses.

Last change to this tool card: 25 May 2020

Download this tool card in JSON format

All groups using tool Carbanak


APT groups

 Carbanak, AnunakUkraine2013-Nov 2021X
 FIN7Russia2013-Jan 2022X

2 groups listed (2 APT, 0 other, 0 unknown)

Digital Service Security Center
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1227
E-mail [email protected]