G0008: Carbanak
Analyst context for executives and security teams
Carbanak matters because MITRE describes it as a financially motivated group targeting financial institutions since at least 2013 and associated with use of the Carbanak remote backdoor. For executives, the decision value is not the name itself, but the pattern it represents: credential abuse, legitimate administration tools, remote access, service persistence, masquerading, and firewall changes can turn normal enterprise operations into attacker cover. Financial-sector and high-value transaction environments should treat this as a test of identity controls, endpoint visibility, remote administration governance, and incident response readiness.
Executive priority
Prioritize validation of controls around privileged credentials, Windows administration tooling, remote access channels, and change monitoring for services and firewall rules. The ATT&CK object does not provide a detection section, so leaders should ask whether the organization can produce audit-ready evidence that it can identify misuse of valid accounts, Mimikatz-like credential theft, PsExec-style remote execution, rundll32 abuse, unauthorized remote access tools, and suspicious service creation or modification. This is especially relevant to business continuity and fraud resilience in environments where compromised systems or credentials could affect financial operations.
Technical view
SOC and IR teams should build coverage around the relationship set rather than the group name alone. MITRE links Carbanak to Mimikatz, PsExec, Carbanak malware, netsh, Valid Accounts, bidirectional web-service C2, Rundll32 abuse, remote access tools, Windows service persistence, masquerading of tasks/services or resources, tool acquisition, and firewall modification. Validate detections for abnormal credential access, lateral execution using administrative tools, unexpected rundll32 command lines, new or modified services, suspicious netsh or firewall changes, unauthorized remote access software, and outbound communications that blend into legitimate web services. Because the group object has no official platforms or tactics and no official detection guidance, local baselining and environment-specific allowlists are required.
Likely telemetry
- Endpoint process creation and command-line logging for tools such as PsExec, rundll32.exe, netsh, and remote access utilities
- Windows service creation, modification, startup configuration, and related registry changes
- Authentication logs for valid account use, especially privileged, remote, or unusual access patterns
- Credential-access indicators from endpoint security tooling relevant to Mimikatz-like behavior
- Network egress logs, proxy/DNS records, and web traffic metadata for bidirectional communication over legitimate external services
Detection direction
- Do not rely on Carbanak malware signatures alone; validate behavior-based coverage across credential abuse, remote execution, persistence, C2, and defense impairment relationships.
- Baseline legitimate use of PsExec, netsh, rundll32.exe, Windows services, and remote access tools to reduce false positives while preserving alerts for unusual users, hosts, times, destinations, or command patterns.
- Correlate valid-account anomalies with endpoint changes such as new services, firewall modifications, or remote tool execution; each signal may be benign alone but higher risk in sequence.
- Review blind spots around unmanaged endpoints, insufficient command-line logging, missing service-change telemetry, limited proxy visibility, and weak monitoring of administrator activity.
- Because MITRE provides no official detection text for this group object, detection engineering should map to the related techniques and software and then test against local telemetry availability.
Mitigation priorities
- Strengthen identity controls first: privileged account governance, credential hygiene, MFA where applicable, and monitoring of remote or anomalous valid-account use.
- Control and audit legitimate administration tools and remote access software; maintain approved tool inventories and investigate unapproved or unusual use.
- Harden endpoint visibility for Windows service changes, rundll32 execution, credential-access behavior, and firewall or netsh modifications.
- Segment and monitor high-value financial, payment, administrative, and management systems so lateral movement and remote administration activity are easier to detect and contain.
- Prepare incident response playbooks that connect credential compromise, remote execution, persistence, and C2 investigation steps without assuming a single malware family is present.
Analyst notes and limits
The supplied ATT&CK description identifies Carbanak as a cybercriminal group using Carbanak malware against financial institutions since at least 2013, with possible links to Cobalt Group and FIN7. The most useful defensive context comes from the listed relationships to software and techniques, especially Mimikatz, PsExec, Carbanak malware, netsh, Valid Accounts, Rundll32, Remote Access Tools, Windows Service persistence, masquerading, bidirectional communication, and firewall modification.
The group object has no official detection text, no platforms, and no tactics specified. Related techniques and software include platform information, but that should not be treated as a complete platform scope for the group. This take is based only on supplied ATT&CK fields, external references, and relationships; local exposure, active targeting, and detection coverage require environment-specific evidence.
Carbanak
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Carbanak has copied legitimate service names to use for malicious services.CitationKaspersky Carbanak |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Carbanak installs VNC server software that executes through rundll32.CitationKaspersky Carbanak |
| Enterprise | T1078 | Valid Accounts | Carbanak actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars.CitationKaspersky Carbanak |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Carbanak has used a VBScript named "ggldr" that uses Google Apps Script, Sheets, and Forms services for C2.CitationForcepoint Carbanak Google C2 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.CitationKaspersky Carbanak |
| Enterprise | T1219 | Remote Access Tools | Carbanak used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems.CitationGroup-IB Anunak |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Carbanak has named malware "svchost.exe," which is the name of the Windows shared service host program.CitationKaspersky Carbanak |
| Enterprise | T1686 | Disable or Modify System Firewall | |
| Enterprise | T1588.002 | Tool Sub-technique |
Groups, software, and campaigns
S0030: Carbanak
S0002: Mimikatz
S0029: PsExec
S0108: netsh
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 7727a5aebc78… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Carbanak
Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
Open source URL -
[2]
FireEye FIN7 April 2017
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
Open source URL -
[3]
Europol Cobalt Mar 2018
Europol. (2018, March 26). Mastermind Behind EUR 1 Billion Cyber Bank Robbery Arrested in Spain. Retrieved October 10, 2018.
Open source URL -
[4]
Secureworks GOLD NIAGARA Threat Profile
CTU. (n.d.). GOLD NIAGARA. Retrieved September 21, 2021.
Open source URL -
[5]
Secureworks GOLD KINGSWOOD Threat Profile
Secureworks. (n.d.). GOLD KINGSWOOD. Retrieved October 18, 2021.
Open source URL -
[6]
Anunak
(Citation: Fox-It Anunak Feb 2015)
-
[7]
Carbanak
(Citation: Kaspersky Carbanak) (Citation: Fox-It Anunak Feb 2015)
-
[8]
Fox-It Anunak Feb 2015
Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
Open source URL -
[9]
mitre-attack G0008Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.