Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Carbanak

🌐Carbanak

🌐 Carbanak is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: Unknown. We map 14 detection use cases to this actor across 9 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0008) ↗
14Use cases
0Articles
9Techniques
0IOCs

About this actor (MITRE)

[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secure

Known aliases

CarbanakAnunak

Top techniques

T1036.004 · Masquerade Task or ServiceT1036.005 · Match Legitimate Resource Name or LocationT1078 · Valid Accounts

All other tracked techniques

T1102.002 · Bidirectional CommunicationT1218.011 · Rundll32T1219 · Remote Access ToolsT1543.003 · Windows ServiceT1588.002 · ToolT1686 · Disable or Modify System Firewall

Detection use cases (14)

Carbanak (FIN7/Cobalt Group) service-name masquerade — DLL persistence in non-System32 paths AI · profile SΣ Carbanak / FIN7 unauthorised remote-admin tool deployment (Ammyy Admin, RMS, TeamViewer) chained from Office or scripting host AI · profile SΣ 1Password impossible-travel sign-in MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Script Interpreter or Package-Install Hook Egress to Free-Tier Edge SaaS Within 5 Minutes of Process Start MITRE match Atlassian administrator impersonating user MITRE match Auth0 anomalous attack-protection event spike MITRE match AWS Console login without MFA + impossible travel MITRE match Credential-stuffing attack on application MITRE match GitLab password reset from suspicious IP MITRE match RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard MITRE match Service install for persistence — sc.exe / new service registry write MITRE match Attacker Tools On Endpoint MITRE match Cisco Secure Firewall - Connection to File Sharing Domain MITRE match