Anunak

Threat Actor updated 4 months ago (2024-05-04T20:51:24.421Z)

Download STIX

Preview STIX

Anunak, also known as Carbanak or FIN7, is a prominent threat actor in the cybercrime landscape. The group emerged around 2013 and specializes in financial theft, primarily targeting Eastern European banks, U.S. and European point-of-sale systems, and other entities. The name "Carbanak" was coined by Kaspersky, though the malware authors themselves refer to the backdoor as Anunak. This group has been known to work closely with other malicious entities such as Evil Corp and TA505, demonstrating a high level of coordination and shared objectives within the cybercriminal community. The group's modus operandi involves the use of sophisticated spear-phishing emails aimed at deploying the Anunak backdoor malware for financial gain and data theft. In one notable attack, they targeted a major multinational car maker using carefully crafted phishing emails. The initial payload initiated a multi-stage execution process to deploy the final payload, a backdoor known as Anunak or Carbanak. This process culminated in the loading and decryption of a file called ‘dmxl.bin,’ which contained the Anunak payload. The Anunak group utilizes living-off-the-land binaries, scripts, and libraries (lolbas) to infect systems and maintain persistence. They have been known to employ lures such as a free IP scanning tool to gain an initial foothold on the target systems. Once the employees are tricked into opening the link, the threat actor deploys its Anunak backdoor, allowing them to infiltrate the network. Despite changes in its composition over time, the Anunak group continues to pose a significant threat due to its versatile backdoor capabilities and persistent attack methodologies.

Description last updated: 2024-05-04T19:37:15.019Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Carbanak	3	Carbanak is a sophisticated malware known for its involvement in various cyberattacks since it was first identified. This malicious software, created by the Russian criminal group FIN7 (also known as Carbanak, Carbon Spider, Cobalt Group, Navigator Group), has been active since mid-2015. The group p
FIN7	2	FIN7, a prominent threat actor in the cybercrime landscape, has been noted for its malicious activities and innovative tactics. Known for their relentless attacks on large corporations, FIN7 recently targeted a significant U.S. carmaker with phishing attacks, demonstrating their continued evolution

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Payload

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Anunak Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Checkpoint	5 months ago	22nd April – Threat Intelligence Report - Check Point Research
BankInfoSecurity	5 months ago	FIN7 Targeted US Automotive Giant In Failed Attack
Securityaffairs	5 months ago	FIN7 targeted a large U.S. carmaker with phishing attacks
DARKReading	5 months ago	Russian APT Group Thwarted in Attack on US Automotive Manufacturer
CERT-EU	6 months ago	Complete Guide to Advanced Persistent Threat (APT) Security
CERT-EU	8 months ago	Backdoor.Win32 Carbanak (Anunak) / Named Pipe Null DACL - CXSecurity.com
CERT-EU	8 months ago	Carbanak is Back with a New Spreading Tactic – Gridinsoft Blogs \| #cybercrime \| #infosec \| National Cyber Security Consulting
MITRE	2 years ago	Behind the CARBANAK Backdoor \| Mandiant
MITRE	2 years ago	WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
CERT-EU	a year ago	FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability
CERT-EU	a year ago	Russian cybercrime group FIN7 has been observed exploiting unpatched Veeam Backup & Replication instances in recent attacks, cybersecurity company WithSecure reports.
CERT-EU	a year ago	Недавно обнаруженная уязвимость Veeam уже используется хакерами FIN7 для кражи конфиденциальных данных