Carbanak/ FIN7 Crime Gang Threat Intel Advisory

Summary

CloudSEK threat intelligence advisory on Carbanak/ FIN7 threat group, targets banks for espionage, data exfiltration, using Carbanak malware.
Advisory Type
Adversary Intelligence
Threat Actors
FIN7/Carbanak
Intelligence
IoCs , TTPs
Carbanak is a threat group that mainly targets banks for espionage and data exfiltration. The malware associated with this group is also referred to as the “Carbanak”. This financially motivated threat group, dubbed as FIN7, reportedly uses the Carbanak malware in their campaigns, especially in the post exploitation phase. The group uses valid digital certificates for code signing the carbanak payload, to prove their integrity, thereby evading traditional anti-malware defenses.  

Indicators of Compromise

1. MD5
  • 44a70bdd3dc9af38103d562d29023882
  • 25617ce39e035e60fa0d71c2c28e1bf5
  • c99c03a1ef6bc783bb6e534476e5155
  • e741daf57eb00201f3e447ef2426142f
  • 1e47e12d11580e935878b0ed78d2294f
  • ddc9b71808be3a0e180e2befae4ff433
  • 6b51c476e9cae2a88777ee330b639166
  • 8b3a91038ecb2f57de5bbd29848b6dc4
  • 9f01b74c1ae1c407eb148c6b13850d28
  • 1284a97c9257513aaebe708ac82c2e38
  • 5ecb9eb63e8ace126f20de7d139dafe8
  • 07b5472d347d42780469fb2654b7fc54
  • 80dd3bd472624a01e5dff9e015ed74fd
  • eafba59cafa0e4fa350dfd3144e02446
  • 2e2bc95337c3b8eb05467e0049124027
  • 608b8bc44a59e2d5c6bf0c5ee5e1f517
  • 370d420948672e04ba8eac10bfe6fc9c
  • 7396ce1f93c8f7dd526eeafaf87f9c2e
  • 2e7eec2c3e7ba29fbf3789a788b4228e
  • 732e6d3d7534da31f51b25506e52227a
  • f6207d7460a0fbddc2c32c60191b6634
  • 970056273f112900c81725137f9f8b45
  • 81e6ebbfa5b3cca1c38be969510fae07
  • b789b368b21d3d99504e6eb11a6d6111
  • b57dc2bc16dfdb3de55923aef9a98401
  • b6cb3301099e4b93902c3b59dcabb030
  • 17c39e9611777b3bcf6d289ce02f42a1
  • ad94fa5c9ff3adcdc03a1ad32cee0e3a
  • 450605b6761ff8dd025978f44724b11e0c5eadcc
  • 54074b3934955d4121d1a01fe2ed5493c3f7f16d
  • 37de1791dca31f1ef85a4246d51702b0352def6d
  • 8230e932427bfd4c2494a6e0269056535b9e6604
  • 996db927eb4392660fac078f1b3b20306618f382
  • 33ee104ab2c9fc37c067a26623e7fddd3bb76302
  • 1d3501b30183ba213fb4c22a00d89db6fd50cc34
 
2. Domains
ppc-club.org brazilian-love.org
weekend-service.com ass-pussy-fucking.net
freemsk-dns.com comixed.org
levetas-marin.com androidn.net
baltazar-btc.com castello-casta.com
adguard.name ihave5kbtc.biz
public-dns.us dimeline.eu
zaydo.website gendelf.com
oerne.com gooip-kumar.com
critical-damage333.org datsun-auto.com
maorkkk-grot.xyz jhecwhb7832873.com
narko-cartel.com vincenzo-bardelli.com
cameron-archibald.com systemsvc.net
klyferyinsoxbabesy.biz worldnewsonline.pw
chugumshimusona.com updateserver.info
marcello-bascioni.com narko-dispanser.com
nder.com nyugorta.com
di-led.com pasteronixus.com
pasteronixca.com casting-cortell.com
publics-dns.com java-update.co.uk
akamai-technologies.org 1povkjbdw87kgf518nl361.com
strangeerglassingpbx.org nikaka-ost.xyz
wascodogamel.com skaoow-loyal.net
btcshop.cc nancialnewsonline.pw
oplesandroxgeoflax.org akkso-dob.in
namorushinoshi.com my-amateur-gals.com
nikaka-ost.in paradise-plaza.com
glonass-map.com ihave5kbtc.org
coral-trevel.com zaydo.co
shfdhghghfg.com great-codes.com
public-dns.com advetureseller.com
coral-travel.com zaydo.space
dragonn-force.com update-java.net
akkso-dob.xyz c1pol361.com
road-to-dominikana.biz casas-curckos.com
adventureseller.com skaoow-loyal.xyz
 
3. IP
http://91.207.60.68:80 http://88.150.175.102:443
http://69.195.129.72:80 http://31.131.17.127:443
http://82.163.78.188:443 http://95.215.45.228:443
http://89.46.103.42:443 http://37.235.54.48:443
http://204.155.30.100:443 http://194.146.180.40:80
http://179.43.140.82:443 http://66.55.133.86:80
http://88.198.184.241:700 http://89.144.14.65:80
http://83.166.234.250:443 http://185.180.198.2:443
http://87.98.217.9:443 http://194.146.180.44:80
http://94.156.77.149:80 http://209.222.30.5:443
http://31.7.61.136:443 http://108.61.197.254:80
http://204.155.30.87:443 http://216.170.116.120:443
http://151.80.8.10:443 http://162.221.183.109:443
http://31.131.17.128:443 http://217.12.203.194:443
http://107.161.159.17:443 http://62.75.218.45:80
http://46.165.228.24:443 http://78.128.92.29:443
http://87.98.153.34:443 http://216.170.117.88:443
http://5.199.169.188:443 http://192.52.167.137:443
http://185.10.56.59:443 http://87.236.210.109:443
http://141.255.167.28:443 http://188.138.98.105:700
 

FIN7 Tactics, Techniques and Procedures

Tactic
Technique
Initial Access Spear Phishing Attachment (T1566.001)
Execution Component Object Model and Distributed COM (T1021.003) Execution through API (T0871) PowerShell (T1059.001) Service Execution (T1569.002) User Execution (T1204) Windows Management Instrumentation (T1047)
Persistence New Service (T1543.003) Registry Run Keys / StartupFolder (T1547) Valid Accounts (T1078)
Privilege Escalation Bypass User Account Control (T1548) New Service (T1543.003) Valid Accounts (T1078)
Defense Evasion Code Signing (T1553) Deobfuscate/Decode Files or Information (T1140) Masquerading (T1036) Obfuscated Files or Information (T1027) Process Injection (T1055) Software Packing (T1027)
Credential Access Credential Dumping (T1003) Input Capture (T1056)
Discovery Application Window Discovery (T1010) Process Discovery (T1057) Remote System Discovery (T1018) System Network ConfigurationDiscovery (T1016) System Owner/User Discovery (T1033)
Lateral Movement Remote Desktop Protocol (T1021.001) Windows Admin Shares (T1021.002)
Collection Data from Local System (T1005) Input Capture (T1056) Screen Capture (T1113)
Command & Control (C2) Commonly Used Port (T1436) Connection Proxy (T1090) Standard Application LayerProtocol (T1071) Standard Cryptographic Protocol (T1521)
Exfiltration Exfiltration Over Command andControl Channel (T1041)

Table of Contents

Request an easy and customized demo for free