Carbanak/ FIN7 Crime Gang Threat Intel Advisory
Advisory Type |
Adversary Intelligence |
Threat Actors |
FIN7/Carbanak |
Intelligence |
IoCs , TTPs |
Carbanak is a threat group that mainly targets banks for espionage and data exfiltration. The malware associated with this group is also referred to as the “Carbanak”. This financially motivated threat group, dubbed as FIN7, reportedly uses the Carbanak malware in their campaigns, especially in the post exploitation phase. The group uses valid digital certificates for code signing the carbanak payload, to prove their integrity, thereby evading traditional anti-malware defenses.
Indicators of Compromise
1. MD5
- 44a70bdd3dc9af38103d562d29023882
- 25617ce39e035e60fa0d71c2c28e1bf5
- c99c03a1ef6bc783bb6e534476e5155
- e741daf57eb00201f3e447ef2426142f
- 1e47e12d11580e935878b0ed78d2294f
- ddc9b71808be3a0e180e2befae4ff433
- 6b51c476e9cae2a88777ee330b639166
- 8b3a91038ecb2f57de5bbd29848b6dc4
- 9f01b74c1ae1c407eb148c6b13850d28
- 1284a97c9257513aaebe708ac82c2e38
- 5ecb9eb63e8ace126f20de7d139dafe8
- 07b5472d347d42780469fb2654b7fc54
- 80dd3bd472624a01e5dff9e015ed74fd
- eafba59cafa0e4fa350dfd3144e02446
- 2e2bc95337c3b8eb05467e0049124027
- 608b8bc44a59e2d5c6bf0c5ee5e1f517
- 370d420948672e04ba8eac10bfe6fc9c
- 7396ce1f93c8f7dd526eeafaf87f9c2e
- 2e7eec2c3e7ba29fbf3789a788b4228e
- 732e6d3d7534da31f51b25506e52227a
- f6207d7460a0fbddc2c32c60191b6634
- 970056273f112900c81725137f9f8b45
- 81e6ebbfa5b3cca1c38be969510fae07
- b789b368b21d3d99504e6eb11a6d6111
- b57dc2bc16dfdb3de55923aef9a98401
- b6cb3301099e4b93902c3b59dcabb030
- 17c39e9611777b3bcf6d289ce02f42a1
- ad94fa5c9ff3adcdc03a1ad32cee0e3a
- 450605b6761ff8dd025978f44724b11e0c5eadcc
- 54074b3934955d4121d1a01fe2ed5493c3f7f16d
- 37de1791dca31f1ef85a4246d51702b0352def6d
- 8230e932427bfd4c2494a6e0269056535b9e6604
- 996db927eb4392660fac078f1b3b20306618f382
- 33ee104ab2c9fc37c067a26623e7fddd3bb76302
- 1d3501b30183ba213fb4c22a00d89db6fd50cc34
2. Domains
| ppc-club.org | brazilian-love.org |
| weekend-service.com | ass-pussy-fucking.net |
| freemsk-dns.com | comixed.org |
| levetas-marin.com | androidn.net |
| baltazar-btc.com | castello-casta.com |
| adguard.name | ihave5kbtc.biz |
| public-dns.us | dimeline.eu |
| zaydo.website | gendelf.com |
| oerne.com | gooip-kumar.com |
| critical-damage333.org | datsun-auto.com |
| maorkkk-grot.xyz | jhecwhb7832873.com |
| narko-cartel.com | vincenzo-bardelli.com |
| cameron-archibald.com | systemsvc.net |
| klyferyinsoxbabesy.biz | worldnewsonline.pw |
| chugumshimusona.com | updateserver.info |
| marcello-bascioni.com | narko-dispanser.com |
| nder.com | nyugorta.com |
| di-led.com | pasteronixus.com |
| pasteronixca.com | casting-cortell.com |
| publics-dns.com | java-update.co.uk |
| akamai-technologies.org | 1povkjbdw87kgf518nl361.com |
| strangeerglassingpbx.org | nikaka-ost.xyz |
| wascodogamel.com | skaoow-loyal.net |
| btcshop.cc | nancialnewsonline.pw |
| oplesandroxgeoflax.org | akkso-dob.in |
| namorushinoshi.com | my-amateur-gals.com |
| nikaka-ost.in | paradise-plaza.com |
| glonass-map.com | ihave5kbtc.org |
| coral-trevel.com | zaydo.co |
| shfdhghghfg.com | great-codes.com |
| public-dns.com | advetureseller.com |
| coral-travel.com | zaydo.space |
| dragonn-force.com | update-java.net |
| akkso-dob.xyz | c1pol361.com |
| road-to-dominikana.biz | casas-curckos.com |
| adventureseller.com | skaoow-loyal.xyz |
3. IP
| http://91.207.60.68:80 | http://88.150.175.102:443 |
| http://69.195.129.72:80 | http://31.131.17.127:443 |
| http://82.163.78.188:443 | http://95.215.45.228:443 |
| http://89.46.103.42:443 | http://37.235.54.48:443 |
| http://204.155.30.100:443 | http://194.146.180.40:80 |
| http://179.43.140.82:443 | http://66.55.133.86:80 |
| http://88.198.184.241:700 | http://89.144.14.65:80 |
| http://83.166.234.250:443 | http://185.180.198.2:443 |
| http://87.98.217.9:443 | http://194.146.180.44:80 |
| http://94.156.77.149:80 | http://209.222.30.5:443 |
| http://31.7.61.136:443 | http://108.61.197.254:80 |
| http://204.155.30.87:443 | http://216.170.116.120:443 |
| http://151.80.8.10:443 | http://162.221.183.109:443 |
| http://31.131.17.128:443 | http://217.12.203.194:443 |
| http://107.161.159.17:443 | http://62.75.218.45:80 |
| http://46.165.228.24:443 | http://78.128.92.29:443 |
| http://87.98.153.34:443 | http://216.170.117.88:443 |
| http://5.199.169.188:443 | http://192.52.167.137:443 |
| http://185.10.56.59:443 | http://87.236.210.109:443 |
| http://141.255.167.28:443 | http://188.138.98.105:700 |
FIN7 Tactics, Techniques and Procedures
Tactic |
Technique |
| Initial Access | Spear Phishing Attachment (T1566.001) |
| Execution | Component Object Model and Distributed COM (T1021.003)
Execution through API (T0871) PowerShell (T1059.001) Service Execution (T1569.002) User Execution (T1204) Windows Management Instrumentation (T1047) |
| Persistence | New Service (T1543.003)
Registry Run Keys / StartupFolder (T1547) Valid Accounts (T1078) |
| Privilege Escalation | Bypass User Account Control (T1548)
New Service (T1543.003) Valid Accounts (T1078) |
| Defense Evasion | Code Signing (T1553)
Deobfuscate/Decode Files or Information (T1140) Masquerading (T1036) Obfuscated Files or Information (T1027) Process Injection (T1055) Software Packing (T1027) |
| Credential Access | Credential Dumping (T1003)
Input Capture (T1056) |
| Discovery | Application Window Discovery (T1010)
Process Discovery (T1057) Remote System Discovery (T1018) System Network ConfigurationDiscovery (T1016) System Owner/User Discovery (T1033) |
| Lateral Movement | Remote Desktop Protocol (T1021.001)
Windows Admin Shares (T1021.002) |
| Collection | Data from Local System (T1005)
Input Capture (T1056) Screen Capture (T1113) |
| Command & Control (C2) | Commonly Used Port (T1436)
Connection Proxy (T1090) Standard Application LayerProtocol (T1071) Standard Cryptographic Protocol (T1521) |
| Exfiltration | Exfiltration Over Command andControl Channel (T1041) |