Carberp
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Carberp has maintained persistence by placing itself inside the current user's startup folder.[5] |
| Enterprise | T1185 | Browser Session Hijacking |
Carberp has captured credentials when a user performs login through a SSL session.[5][4] |
|
| Enterprise | T1555 | Credentials from Password Stores |
Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.[5] |
|
| .003 | Credentials from Web Browsers |
Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[5] |
||
| Enterprise | T1041 | Exfiltration Over C2 Channel |
Carberp has exfiltrated data via HTTP to already established C2 servers.[5][4] |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[6][5] |
|
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Carberp has created a hidden file in the Startup folder of the current user.[4] |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.[5] |
| Enterprise | T1105 | Ingress Tool Transfer |
Carberp can download and execute new plugins from the C2 server. [5][4] |
|
| Enterprise | T1056 | .004 | Input Capture: Credential API Hooking |
Carberp has hooked several Windows API functions to steal credentials.[5] |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".[5][4] |
| Enterprise | T1106 | Native API |
Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[4] |
|
| Enterprise | T1027 | Obfuscated Files or Information |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.[5] |
|
| Enterprise | T1542 | .003 | Pre-OS Boot: Bootkit |
Carberp has installed a bootkit on the system to maintain persistence.[6] |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Carberp's bootkit can inject a malicious DLL into the address space of running processes.[6] |
| .004 | Process Injection: Asynchronous Procedure Call |
Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.[5] |
||
| Enterprise | T1012 | Query Registry |
Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.[5] |
|
| Enterprise | T1021 | .005 | Remote Services: VNC |
Carberp can start a remote VNC session by downloading a new plugin.[5] |
| Enterprise | T1014 | Rootkit |
Carberp has used user mode rootkit techniques to remain hidden on the system.[5] |
|
| Enterprise | T1113 | Screen Capture |
Carberp can capture display screenshots with the screens_dll.dll plugin.[5] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.[5] |
| Enterprise | T1082 | System Information Discovery |
Carberp has collected the operating system version from the infected system.[5] |
|
| Enterprise | T1497 | Virtualization/Sandbox Evasion |
Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[6] |
|
References
- Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.
- Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.
- RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
- Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.