Carbanak Threat Profile: Financial Apex Predators
- Suspected Origin
- Eastern Europe/Russia
- Motivation
- Financial Gain
- Aliases
- Anunak
- Target Sectors
- Financial Services, Banking, Retail, Hospitality, Energy and Utilities, Healthcare, Agriculture, Food and Beverages
- Associated Malware
- Carbanak (backdoor/banking trojan), Tirion, Pillowmint, Ammyy Admin, TeamViewer, PsExec, Mimikatz, Cobalt Strike, Meterpreter, REvil, DarkSide, Powerplant, Beacon, IDATLOADER
Overview
Carbanak (G0008), also known by aliases like Anunak and sometimes referred to as Carbon Spider, is a highly sophisticated, financially motivated cybercrime group that has been active since at least 2013. The group quickly established itself as an apex predator in the cybercrime landscape, responsible for orchestrating technical campaigns leading to substantial monetary losses, estimated to be well over $1 billion across more than 100 financial institutions globally. Unlike many state-sponsored actors driven by espionage, Carbanak’s primary, and seemingly sole, motivation is direct financial gain.
While Carbanak is primarily known for its direct assaults on financial institutions, including banks, ATM networks, and money processing services, its reach has expanded. The group is closely linked with, and sometimes conflated with, FIN7 (G0046) and Cobalt Group, both of which have also utilized the Carbanak malware. While MITRE ATT&CK identifies Carbanak and FIN7 as separate entities, they share many tactics and tools, with FIN7 specifically extending targeting to retail, restaurant, and hospitality sectors, often leveraging point-of-sale (POS) malware.
Carbanak is widely believed to have originated in Eastern Europe or Russia, with activities reported across Europe, the United States, Canada, China, Germany, and many other countries. Their operations demonstrate remarkable persistence and adaptability, often adapting methods to diverse regional and technological environments.
Tactics & Techniques
Carbanak employs a wide array of advanced tactics, techniques, and procedures (TTPs) consistent with modern, financially motivated threat actors, often mimicking government-sponsored APTs in their operational sophistication.
Initial access typically begins with highly targeted spear-phishing campaigns. These emails often impersonate legitimate banking communications, audit reports, or critical policy documents, containing malicious attachments such as Microsoft Word documents with embedded macros or Control Panel Applet (.cpl) files. Once an employee opens the attachment and enables macros, an obfuscated PowerShell command is often executed to download the Carbanak malware payload.
Upon gaining initial access, Carbanak focuses on establishing a persistent foothold and extensive internal reconnaissance. They install themselves as services, use registry run keys, or create new services to maintain persistence. Attackers then dedicate months to studying the victim’s internal network, recording screen activity and keylogging to understand banking software operations and internal procedures. This deep familiarity allows them to impersonate legitimate internal operators during the exploitation phase.
Lateral movement and privilege escalation are crucial steps. Carbanak leverages stolen credentials and often uses legitimate remote administration tools like Ammyy Admin, TeamViewer, PsExec, and Mimikatz to move across the network. They also use Windows command shell and DDE client-server protocol for execution and command and control. Defense evasion techniques include disabling security tools, deleting forensic artifacts, modifying registry keys, and injecting malicious code into legitimate processes.
For command and control (C2), Carbanak utilizes various methods, including HTTP with encrypted and Base64-encoded payloads, standard non-application layer protocols, and even legitimate cloud-based services like Google Apps Script, Sheets, and Forms via VBScripts named “ggldr”. Data exfiltration often involves compressing and/or encrypting stolen data before sending it out through C2 channels.
Notable Campaigns
The Carbanak group first garnered significant attention in early 2015 when Kaspersky Lab publicly disclosed their findings in a landmark report titled “The Great Bank Robbery.” This campaign, which started as early as 2013, involved stealing an estimated $1 billion from over 100 financial institutions across more than 30 countries. Attack methods included directly manipulating ATM networks to dispense cash, altering database records to inflate account balances before siphoning off the difference, and using the SWIFT international funds transfer system. Money mules, often hired through organized crime networks, would collect the cash.
While a key alleged mastermind of the Carbanak/Cobalt group was arrested in Spain in March 2018, operations linked to the group, including those using the Carbanak backdoor, have continued. The 2018 Hudson’s Bay Company breach, which involved point-of-sale malware, was attributed to the group.
More recently, Carbanak has been observed adapting its tactics. In November 2023, reports indicated Carbanak was being distributed through compromised websites impersonating legitimate business software like HubSpot, Veeam, and Xero, and was involved in ransomware attacks with updated techniques. In April 2024, FIN7, a group closely associated with Carbanak, was linked to spear-phishing campaigns targeting the U.S. automotive industry to deliver the Carbanak backdoor.
Associated Malware & Tools
The group’s namesake malware, Carbanak (S0030), is a sophisticated remote access backdoor and banking trojan. Initially based on the Carberp malware source code, it’s designed for espionage, data exfiltration, and remote control capabilities, including keylogging, desktop video capture, VNC functionality, HTTP form grabbing, file system management, and the ability to create reverse shells.
Beyond the core Carbanak malware, the group and its associated entities (like FIN7 and Cobalt Group) have utilized a range of other tools:
- Backdoors/Trojans: Tirion (said to replace Carbanak), Pillowmint (point-of-sale malware), DRIFTPIN (aka Toshliph), Powerplant, and Beacon.
- Commercial/Open-Source Tools: Ammyy Admin, TeamViewer, PsExec, Mimikatz, and VNC server software for remote access, lateral movement, and credential theft.
- Loaders: IDATLOADER (aka HIJACKLOADER, GHOSTPULSE) has been observed distributing Carbanak malware in 2024, using advanced techniques like BPL Sideloading.
- Ransomware: In a significant evolution of their monetizing strategies, FIN7, closely linked with Carbanak, has increasingly adopted ransomware operations since 2020, leveraging strains such as REvil and DarkSide, and showing ties to Black Basta ransomware.
- Exploit Kits: Variants of DRIFTPIN have been deployed via the RIG exploit kit.
Current Status
Carbanak remains an active and evolving threat. Despite law enforcement efforts, including significant arrests in 2018, operations linked to Carbanak and its associated groups have continued. The group demonstrates remarkable persistence and adaptability. The source code for the Carbanak backdoor was leaked in 2019, meaning variants are available to other threat actors, further complicating attribution and tracking.
Recent activity observed in late 2023 and early 2024 indicates a continued evolution of their attack methodologies, including new distribution chains via compromised websites and a shift towards incorporating ransomware tactics. FIN7, often overlapping with Carbanak’s activities, has notably pivoted towards “big game hunting” ransomware operations. Organizations, particularly those in the financial services, retail, and hospitality sectors, must maintain vigilance against the sophisticated and continuously adapting TTPs of Carbanak and its affiliates.
Related content
FIN7: From Point-of-Sale Theft to Ransomware Kingpins
Adversary ProfileFIN6: From POS Skimming to Ransomware and Enterprise Infiltration
Adversary ProfileDarkHydrus: Persistent Middle Eastern Espionage Group
Adversary ProfileChimera (G0114): Enduring Espionage in High-Tech and Aviation
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call