S0484: Carberp
Analyst context for executives and security teams
Carberp matters because it represents Windows credential and information-stealing malware with a broad set of behaviors tied to discovery, credential access, stealth, persistence, command and control, lateral movement, and exfiltration. For leaders, the decision value is not just the malware name; it is whether the organization can prove it would notice credential theft from browsers or password stores, suspicious registry persistence, process injection, hidden components, remote control activity, and data leaving over web-based command channels.
Executive priority
Prioritize Carberp-relevant controls where Windows endpoints handle sensitive credentials, financial workflows, privileged access, or regulated data. The ATT&CK relationships point to business risks around identity compromise, persistence below normal visibility layers, remote access via VNC, and exfiltration over command-and-control channels. Executives should ask whether SOC, IR, endpoint, identity, and network teams have evidence for: Windows registry changes, credential-store access, browser-session abuse, process injection, web C2 traffic, and full remediation when rootkit or bootkit behavior is suspected.
Technical view
Carberp is documented by ATT&CK as Windows credential and information-stealing malware active since at least 2009, with source code leaked in 2013 and later used as a foundation for Carbanak. No official ATT&CK detection text is provided, so validation should be relationship-driven. SOC and IR teams should map detections and collection against the listed techniques: Query Registry, Rootkit, VNC, Encrypted/Encoded File, Match Legitimate Resource Name or Location, Exfiltration Over C2 Channel, DLL Injection, APC Injection, Credential API Hooking, Process Discovery, Exploitation for Privilege Escalation, Web Protocols, System Information Discovery, Ingress Tool Transfer, Native API, Screen Capture, Browser Session Hijacking, Virtualization/Sandbox Evasion, Security Software Discovery, Bootkit, Registry Run Keys / Startup Folder, Credentials from Password Stores, Credentials from Web Browsers, and Hidden Files and Directories.
Likely telemetry
- Windows endpoint process creation, command-line, parent-child process, and module/DLL load telemetry
- Windows Registry access and modification events, especially Run keys and suspicious resource names or locations
- Endpoint detection telemetry for process injection, API hooking, native API use, hidden files, rootkit indicators, and boot-level persistence indicators
- Browser and credential-store access evidence where available, including attempts to read saved browser credentials or interact with credential APIs
- Network telemetry for HTTP/S or other web-protocol command-and-control patterns and exfiltration over existing C2 channels
Detection direction
- Because ATT&CK provides no official detection guidance for this malware entry, validate coverage by technique rather than by malware name alone.
- Tune Windows detections for registry persistence, registry querying, startup-folder abuse, and suspicious resources that imitate legitimate names or locations.
- Correlate credential-access signals with process injection or browser interaction, especially activity involving credential stores, web browsers, or API hooking behavior.
- Review web-protocol traffic for unusual beaconing, tool transfer, or exfiltration patterns, but account for false positives because HTTP/S is common business traffic.
- Validate visibility for VNC use and distinguish approved remote support activity from unexpected remote control paths.
Mitigation priorities
- Start with identity and credential protection: reduce saved browser/password-store credential exposure, harden privileged accounts, and monitor credential access paths.
- Harden Windows persistence locations, including Registry Run keys and startup folders, with change monitoring and least-privilege administration.
- Improve endpoint prevention and detection for process injection, API hooking, hidden files, suspicious DLL loading, and unauthorized native API behavior.
- Restrict and monitor remote-control tools such as VNC, allowing only approved administrative use with authentication, logging, and network controls.
- Strengthen egress monitoring for web-protocol C2 and exfiltration while maintaining business-aware allowlisting and anomaly review.
Analyst notes and limits
The object is a malware entry for Carberp, external ID S0484, in the enterprise ATT&CK domain. The official description identifies it as credential and information-stealing malware for Windows and notes the 2013 source-code leak and relationship to Carbanak’s foundation. The most actionable content comes from the supplied technique relationships rather than from an ATT&CK detection section.
ATT&CK provides no official detection text, no aliases, and no malware-level tactics for this object in the supplied fields. The relationships describe behaviors associated with the malware, but local telemetry, control configuration, approved administrative tooling, and environment-specific baselines are required to determine actual detection or exposure. This summary does not assert active exploitation, attribution, or guaranteed coverage.
Carberp
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1542.003 | Bootkit Sub-technique | Carberp has installed a bootkit on the system to maintain persistence.CitationESET Carberp March 2012 |
| Enterprise | T1555 | Credentials from Password Stores | Carberp's passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients.CitationPrevx Carberp March 2011 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Carberp has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".CitationPrevx Carberp March 2011CitationTrusteer Carberp October 2010 |
| Enterprise | T1014 | Rootkit | Carberp has used user mode rootkit techniques to remain hidden on the system.CitationPrevx Carberp March 2011 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | Carberp has hooked several Windows API functions to steal credentials.CitationPrevx Carberp March 2011 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Carberp has maintained persistence by placing itself inside the current user's startup folder.CitationPrevx Carberp March 2011 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.CitationESET Carberp March 2012 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Carberp has exfiltrated data via HTTP to already established C2 servers.CitationPrevx Carberp March 2011CitationTrusteer Carberp October 2010 |
| Enterprise | T1105 | Ingress Tool Transfer | Carberp can download and execute new plugins from the C2 server. CitationPrevx Carberp March 2011CitationTrusteer Carberp October 2010 |
| Enterprise | T1021.005 | VNC Sub-technique | Carberp can start a remote VNC session by downloading a new plugin.CitationPrevx Carberp March 2011 |
| Enterprise | T1185 | Browser Session Hijacking | Carberp has captured credentials when a user performs login through a SSL session.CitationPrevx Carberp March 2011CitationTrusteer Carberp October 2010 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.CitationESET Carberp March 2012CitationPrevx Carberp March 2011 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.CitationPrevx Carberp March 2011 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Carberp has queried the infected system's registry searching for specific registry keys associated with antivirus products.CitationPrevx Carberp March 2011 |
| Enterprise | T1012 | Query Registry | Carberp has searched the Image File Execution Options registry key for "Debugger" within every subkey.CitationPrevx Carberp March 2011 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Carberp has created a hidden file in the Startup folder of the current user.CitationTrusteer Carberp October 2010 |
| Enterprise | T1685 | Disable or Modify Tools | Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.CitationPrevx Carberp March 2011 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Carberp has connected to C2 servers via HTTP.CitationTrusteer Carberp October 2010 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Carberp has used XOR-based encryption to mask C2 server locations within the trojan.CitationPrevx Carberp March 2011 |
| Enterprise | T1106 | Native API | Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.CitationTrusteer Carberp October 2010 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Carberp's bootkit can inject a malicious DLL into the address space of running processes.CitationESET Carberp March 2012 |
| Enterprise | T1082 | System Information Discovery | Carberp has collected the operating system version from the infected system.CitationPrevx Carberp March 2011 |
| Enterprise | T1113 | Screen Capture | Carberp can capture display screenshots with the screens_dll.dll plugin.CitationPrevx Carberp March 2011 |
| Enterprise | T1057 | Process Discovery | Carberp has collected a list of running processes.CitationTrusteer Carberp October 2010 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.CitationPrevx Carberp March 2011 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | fb5aea22ca97… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Carberp February 2014
Trend Micro. (2014, February 27). CARBERP. Retrieved July 29, 2020.
Open source URL -
[2]
KasperskyCarbanak
Kaspersky Lab's Global Research & Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved March 27, 2017.
Open source URL -
[3]
RSA Carbanak November 2017
RSA. (2017, November 21). THE CARBANAK/FIN7 SYNDICATE A HISTORICAL OVERVIEW OF AN EVOLVING THREAT. Retrieved July 29, 2020.
Open source URL -
[4]
mitre-attack S0484Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.