S0030: Carbanak
Analyst context for executives and security teams
Carbanak matters because ATT&CK describes it as a full-featured Windows remote backdoor intended for espionage, data exfiltration, and remote access. For leaders, the decision value is not just “malware exists”; it is whether the organization can prove it would notice and contain a Windows compromise that combines credential theft, persistence, command execution, remote access, collection, encrypted or encoded web-based command-and-control, and staged exfiltration behavior.
Executive priority
Prioritize Carbanak as a resilience and fraud-risk scenario, especially where Windows endpoints support financial, retail, hospitality, healthcare, cloud services, transportation, utilities, or other high-value operations referenced in the related FIN7 context. Executives should ask whether SOC, identity, endpoint, and network teams can show evidence for: credential-dumping detection, abnormal RDP and remote access use, suspicious startup persistence, local account creation, collection of screenshots or local email data, and web-protocol C2/exfiltration patterns. Because ATT&CK provides no official detection text for this object, coverage should be validated through control evidence and incident-response exercises rather than assumed from malware-name signatures.
Technical view
Treat Carbanak as a Windows backdoor behavior cluster mapped through its ATT&CK relationships. Validate detections and response playbooks around OS Credential Dumping, Query Registry, RDP use, obfuscated files, data transfer size limits, PE injection, keylogging, process discovery, Windows command shell execution, file deletion, web-protocol C2, screen capture, local email collection, standard encoding, local account creation, remote access tools, Registry Run Keys/Startup Folder persistence, and symmetric cryptography. Detection engineering should correlate endpoint process, registry, account, authentication, and network evidence rather than rely on a single indicator or family name.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry change and query telemetry, especially Run Keys and startup locations
- Authentication and RDP session logs
- Local account creation and privilege-related account activity
- Endpoint alerts or behavioral evidence for credential dumping, keylogging, process injection, screen capture, and file deletion
Detection direction
- Because MITRE provides no official detection guidance for Carbanak, validate coverage against the related ATT&CK techniques rather than a named-malware signature alone.
- Tune correlations for Windows sequences such as registry persistence followed by command shell execution, process discovery, credential access behavior, RDP or remote access activity, collection activity, and outbound web-protocol traffic.
- Review false positives carefully for administrator activity, help desk tools, legitimate RDP, endpoint management software, backup jobs, and normal email-client access.
- Look for blind spots in unmanaged Windows endpoints, limited command-line logging, missing registry telemetry, weak RDP logging, encrypted web traffic visibility gaps, and lack of endpoint visibility into injection or credential access behaviors.
- Use the group relationships as threat-intelligence context: ATT&CK links this malware to Carbanak group and FIN7 use, but local detection should be behavior-led and evidence-based.
Mitigation priorities
- First, ensure Windows endpoint visibility and retention are sufficient for process, registry, authentication, account, file, and network investigations.
- Harden identity controls around credential theft and lateral movement: reduce local admin exposure, monitor account creation, and review RDP access paths.
- Constrain persistence and execution opportunities by monitoring startup locations, limiting unnecessary command shell and remote access use where feasible, and maintaining application/control baselines.
- Inventory and govern legitimate remote access tools so attacker use of approved tooling is distinguishable from authorized support activity.
- Improve egress monitoring for web-protocol C2 and staged exfiltration patterns, including size-limited transfers where practical.
Analyst notes and limits
ATT&CK identifies Carbanak as malware S0030, a Windows remote backdoor associated through relationships with the Carbanak group and FIN7. The relationship set is useful for building a defensive validation plan because it maps the malware to credential access, discovery, execution, persistence, collection, command-and-control, exfiltration, lateral movement, and stealth techniques. This take intentionally avoids asserting current activity or guaranteed exposure.
The supplied ATT&CK object does not include official detection text, tactics on the malware object itself, aliases, labels, or detailed procedure examples in the prompt. Several related techniques list platforms beyond Windows, but the malware object platform is Windows, so defensive conclusions should be centered on Windows unless local intelligence supports broader scope. Local telemetry, asset criticality, and business process context are required to determine priority and coverage.
Carbanak
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003 | OS Credential Dumping | Carbanak obtains Windows logon password details.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1113 | Screen Capture | Carbanak performs desktop video recording and captures screenshots of the desktop and sends it to the C2 server.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | The Carbanak malware communicates to its command server using HTTP with an encrypted payload.CitationKaspersky Carbanak |
| Enterprise | T1012 | Query Registry | Carbanak checks the Registry key |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Carbanak has a command to create a reverse shell.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1055.002 | Portable Executable Injection Sub-technique | Carbanak downloads an executable and injects it directly into a new process.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1057 | Process Discovery | Carbanak lists running processes.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | Carbanak encrypts strings to make analysis more difficult.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1219 | Remote Access Tools | Carbanak has a plugin for VNC and Ammyy Admin Tool.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Carbanak logs key strokes for configured processes and sends them back to the C2 server.CitationKaspersky CarbanakCitationFireEye CARBANAK June 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1136.001 | Local Account Sub-technique | Carbanak can create a Windows account.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | Carbanak has a command to delete files.CitationFireEye CARBANAK June 2017 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Carbanak encodes the message body of HTTP traffic with Base64.CitationKaspersky CarbanakCitationFireEye CARBANAK June 2017 |
| Enterprise | T1030 | Data Transfer Size Limits | Carbanak exfiltrates data in compressed chunks if a message is larger than 4096 bytes .CitationFireEye CARBANAK June 2017 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
G0008: Carbanak
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 569f46b1c242… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Carbanak
Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
Open source URL -
[2]
FireEye CARBANAK June 2017
Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
Open source URL -
[3]
Anunak
(Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017)
-
[4]
Carbanak
(Citation: FireEye CARBANAK June 2017)
-
[5]
Fox-It Anunak Feb 2015
Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
Open source URL -
[6]
mitre-attack S0030Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.