Carbanak Backdoor

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and once inside, it has the capability to steal personal information, disrupt operations, or even hold data hostage for ransom. Over time, the Carbanak Backdoor toolkit has been used extensively by FIN7 members for reconnaissance purposes and to gain a foothold on infected systems. IBM X-Force researchers found additional evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. Around the same period, they also uncovered NewWorldOrder Loader samples, with the filename ThunderboltService.exe, which were used to load the Carbanak Backdoor. The same domain that hosted the Cobalt Strike Beacon payload was also found to be hosting a Carbanak backdoor sample compiled in February 2017. This discovery further solidified the connection between these different pieces of malware and their shared purpose. In addition to the Carbanak Backdoor, the researchers discovered other tools being used in conjunction with it. One of the DLLs identified was an instance of the Carbanak backdoor itself, while another DLL was a tool tracked by FireEye as RDFSNIFFER. This tool allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions. These findings highlight the sophisticated nature of the attacks orchestrated using the Carbanak Backdoor, and the significant threat it poses to digital security.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Carbanak
4
Carbanak is a sophisticated type of malware, short for malicious software, that is designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt
Newworldorder Loader
2
NewWorldOrder Loader is a potent malware that was identified in December 2022. It operates as a loader for other malicious software, effectively helping them infiltrate systems undetected. This harmful program is particularly notable for its association with the Domino Backdoor and Carbanak Backdoor
RDFSNIFFER
1
RDFSNIFFER is a newly identified malware payload of the BOOSTWRITE variant, discovered by Mandiant investigators. Developed to tamper with NCR Corporation's “Aloha Command Center” client, it has been used maliciously by several financial attackers including FIN7. When loaded by BOOSTWRITE, RDFSNIFFE
Sodinokibi
1
Sodinokibi, also known as REvil, is a significant threat actor first identified in April 2019. This ransomware family operates as a Ransomware-as-a-Service (RaaS) and has been responsible for one in three ransomware incidents responded to by IBM Security X-Force in 2020. The Sodinokibi ransomware st
Domino Backdoor
1
The Domino Backdoor is a type of malware that has been linked to multiple threat groups, highlighting the complexity of tracking these actors and their operations. This malicious software, designed to exploit and damage computers or devices, can steal personal information, disrupt operations, or hol
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Reconnaissance
Payload
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
DominoUnspecified
1
The Domino malware, a harmful program designed to exploit and damage computer systems, has been identified as the culprit behind a series of high-profile cyber attacks. The first notable incident occurred when a hacker claimed to have accessed Domino's India's massive 13 TB database on the Dark Web,
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
3
FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
ITG14Unspecified
2
ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi
Carbanak GroupUnspecified
1
The Carbanak Group, also known as FIN7, is a notorious cybercrime gang responsible for some of the largest banking heists in history. This threat actor specializes in executing actions with malicious intent, often deploying data-stealing backdoors such as the CARBANAK malware. Despite several arrest
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Carbanak Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
7 months ago
Carbanak is Back with a New Spreading Tactic – Gridinsoft Blogs | #cybercrime | #infosec | National Cyber Security Consulting
MITRE
a year ago
FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings « FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
Securityaffairs
a year ago
The intricate relationships between the FIN7 group and members of the Conti gang
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
MITRE
a year ago
Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques | Mandiant
MITRE
a year ago
FIN7 Evolution and the Phishing LNK | Mandiant
MITRE
a year ago
Behind the CARBANAK Backdoor | Mandiant
SecurityIntelligence.com
a year ago
Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
MITRE
a year ago
Ransomware 2020: Attack Trends Affecting Organizations Worldwide