Carbanak Group

Carbanak Group is the name publicly used for actors associated with malicious activity involving the CARBANAK backdoor, also referred to in early reporting as Anunak. Public reporting cited in the content notes that the term "Carbanak Group" is commonly used, but also states it is unclear whether all CARBANAK campaigns were orchestrated by a single criminal group or by multiple independent or loosely affiliated criminal actors sharing malware and techniques. The activity described is criminal rather than nation-state. Reported targeting includes banks and financial organizations in the U.S., Middle East, Southeast Asia, Southwest Asia, Russia, Eastern Europe, and other global financial institutions, as well as the U.S. restaurant and hospitality sectors. Early reporting linked CARBANAK/Anunak activity to 2014 ATM exploitation in Ukraine. The group or associated operators use the CARBANAK malware family as a data-stealing backdoor and post-exploitation platform. Observed capabilities and tradecraft include per-sample customization through a likely build tool, with changing encrypted strings, campaign codes, C2 configuration, and cryptographic material; rapid recompilation with small code differences tailored to target needs; use of 64-bit variants; delayed activation via configured sleep-until dates; in-memory execution via the runmem command; user monitoring via the video command; and network proxying into isolated victim environments via the tunnel command. The content also associates CARBANAK campaigns with DRIFTPIN/Toshliph, including spearphishing and exploit-kit delivery, and notes infrastructure overlap with LAZIOK and NETWIRE in some bank-targeting activity. Similarity is also noted with FIN7 operations in the use of Power Admin PAExec for lateral movement. The content specifically states that in Mandiant investigations where CARBANAK was identified, the activity was attributed to FIN7, which has been highly active against U.S. restaurant and hospitality organizations since mid-2015 and has used CARBANAK for post-exploitation, including user monitoring and proxying. The content further notes that some CARBANAK operators likely had source-code access or a close relationship to the developers, and that some operators may have compiled their own builds independently.