Carbanak Backdoor

Malware updated 7 months ago (2024-05-04T19:57:36.620Z)

Download STIX

Preview STIX

The Carbanak Backdoor is a notorious malware, designed to exploit and damage computer systems. It is associated with the FIN7 threat group, also known as the "Carbanak Group", although not all usage of the Carbanak Backdoor can be directly linked to FIN7. This malicious software infiltrates systems often through suspicious downloads, emails, or websites, and once inside, it has the capability to steal personal information, disrupt operations, or even hold data hostage for ransom. Over time, the Carbanak Backdoor toolkit has been used extensively by FIN7 members for reconnaissance purposes and to gain a foothold on infected systems. IBM X-Force researchers found additional evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. Around the same period, they also uncovered NewWorldOrder Loader samples, with the filename ThunderboltService.exe, which were used to load the Carbanak Backdoor. The same domain that hosted the Cobalt Strike Beacon payload was also found to be hosting a Carbanak backdoor sample compiled in February 2017. This discovery further solidified the connection between these different pieces of malware and their shared purpose. In addition to the Carbanak Backdoor, the researchers discovered other tools being used in conjunction with it. One of the DLLs identified was an instance of the Carbanak backdoor itself, while another DLL was a tool tracked by FireEye as RDFSNIFFER. This tool allows an attacker to hijack instances of the NCR Aloha Command Center Client application and interact with victim systems via existing legitimate 2FA sessions. These findings highlight the sophisticated nature of the attacks orchestrated using the Carbanak Backdoor, and the significant threat it poses to digital security.

Description last updated: 2024-05-04T17:16:49.553Z

What's your take? (Question 1 of 4)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Carbanak is a possible alias for Carbanak Backdoor. Carbanak is a notorious malware developed by the cybercrime collective known as FIN7, also referred to as Carbon Spider, Cobalt Group, and Navigator Group. The group, which has been active since 2012, is of Russian origin and has been particularly focused on exploiting the restaurant, gambling, and	4
Newworldorder Loader is a possible alias for Carbanak Backdoor. NewWorldOrder Loader is a potent malware that was identified in December 2022. It operates as a loader for other malicious software, effectively helping them infiltrate systems undetected. This harmful program is particularly notable for its association with the Domino Backdoor and Carbanak Backdoor	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The FIN7 Threat Actor is associated with Carbanak Backdoor. FIN7, also known as Carbanak, Carbon Spider, Cobalt Group, and Navigator Group, is a notorious cybercrime group that has been active since 2012. The group is recognized for its advanced combination of malware and social engineering tactics, having executed numerous successful attacks against global	Unspecified	3
The ITG14 Threat Actor is associated with Carbanak Backdoor. ITG14, a threat actor identified in the cybersecurity industry, has recently been linked to malicious activities involving the Domino Backdoor. X-Force researchers have found substantial evidence connecting the Domino Backdoor to ITG14’s Carbanak Backdoor. The Domino Backdoor not only shares signifi	Unspecified	2

Source Document References

Information about the Carbanak Backdoor Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Carbanak is Back with a New Spreading Tactic – Gridinsoft Blogs \| #cybercrime \| #infosec \| National Cyber Security Consulting
MITRE	2 years ago	FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings « FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings
Securityaffairs	2 years ago	The intricate relationships between the FIN7 group and members of the Conti gang
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
MITRE	2 years ago	Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques \| Mandiant
MITRE	2 years ago	FIN7 Evolution and the Phishing LNK \| Mandiant
MITRE	2 years ago	Behind the CARBANAK Backdoor \| Mandiant
SecurityIntelligence.com	2 years ago	Ex-Conti and FIN7 Actors Collaborate with New Domino Backdoor
MITRE	2 years ago	Ransomware 2020: Attack Trends Affecting Organizations Worldwide