Carbanak/ FIN7 Crime Gang Threat Intel Advisory

Published 14 December 2020

FIN7 threat group targets banks for espionage and data exfiltration.
This financially motivated cyber crime gang uses the Carbanak malware in their campaigns.

Share this Threat Intel:

Advisory Type	Adversary Intelligence
Threat Actors	FIN7/Carbanak
Intelligence	IoCs , TTPs

Carbanak is a threat group that mainly targets banks for espionage and data exfiltration. The malware associated with this group is also referred to as the “Carbanak”. This financially motivated threat group, dubbed as FIN7, reportedly uses the Carbanak malware in their campaigns, especially in the post exploitation phase. The group uses valid digital certificates for code signing the carbanak payload, to prove their integrity, thereby evading traditional anti-malware defenses.

Indicators of Compromise

1. MD5

44a70bdd3dc9af38103d562d29023882
25617ce39e035e60fa0d71c2c28e1bf5
c99c03a1ef6bc783bb6e534476e5155
e741daf57eb00201f3e447ef2426142f
1e47e12d11580e935878b0ed78d2294f
ddc9b71808be3a0e180e2befae4ff433
6b51c476e9cae2a88777ee330b639166
8b3a91038ecb2f57de5bbd29848b6dc4
9f01b74c1ae1c407eb148c6b13850d28
1284a97c9257513aaebe708ac82c2e38
5ecb9eb63e8ace126f20de7d139dafe8
07b5472d347d42780469fb2654b7fc54
80dd3bd472624a01e5dff9e015ed74fd
eafba59cafa0e4fa350dfd3144e02446
2e2bc95337c3b8eb05467e0049124027
608b8bc44a59e2d5c6bf0c5ee5e1f517
370d420948672e04ba8eac10bfe6fc9c
7396ce1f93c8f7dd526eeafaf87f9c2e
2e7eec2c3e7ba29fbf3789a788b4228e
732e6d3d7534da31f51b25506e52227a
f6207d7460a0fbddc2c32c60191b6634
970056273f112900c81725137f9f8b45
81e6ebbfa5b3cca1c38be969510fae07
b789b368b21d3d99504e6eb11a6d6111
b57dc2bc16dfdb3de55923aef9a98401
b6cb3301099e4b93902c3b59dcabb030
17c39e9611777b3bcf6d289ce02f42a1
ad94fa5c9ff3adcdc03a1ad32cee0e3a
450605b6761ff8dd025978f44724b11e0c5eadcc
54074b3934955d4121d1a01fe2ed5493c3f7f16d
37de1791dca31f1ef85a4246d51702b0352def6d
8230e932427bfd4c2494a6e0269056535b9e6604
996db927eb4392660fac078f1b3b20306618f382
33ee104ab2c9fc37c067a26623e7fddd3bb76302
1d3501b30183ba213fb4c22a00d89db6fd50cc34

2. Domains

ppc-club.org	brazilian-love.org
weekend-service.com	ass-pussy-fucking.net
freemsk-dns.com	comixed.org
levetas-marin.com	androidn.net
baltazar-btc.com	castello-casta.com
adguard.name	ihave5kbtc.biz
public-dns.us	dimeline.eu
zaydo.website	gendelf.com
oerne.com	gooip-kumar.com
critical-damage333.org	datsun-auto.com
maorkkk-grot.xyz	jhecwhb7832873.com
narko-cartel.com	vincenzo-bardelli.com
cameron-archibald.com	systemsvc.net
klyferyinsoxbabesy.biz	worldnewsonline.pw
chugumshimusona.com	updateserver.info
marcello-bascioni.com	narko-dispanser.com
nder.com	nyugorta.com
di-led.com	pasteronixus.com
pasteronixca.com	casting-cortell.com
publics-dns.com	java-update.co.uk
akamai-technologies.org	1povkjbdw87kgf518nl361.com
strangeerglassingpbx.org	nikaka-ost.xyz
wascodogamel.com	skaoow-loyal.net
btcshop.cc	nancialnewsonline.pw
oplesandroxgeoflax.org	akkso-dob.in
namorushinoshi.com	my-amateur-gals.com
nikaka-ost.in	paradise-plaza.com
glonass-map.com	ihave5kbtc.org
coral-trevel.com	zaydo.co
shfdhghghfg.com	great-codes.com
public-dns.com	advetureseller.com
coral-travel.com	zaydo.space
dragonn-force.com	update-java.net
akkso-dob.xyz	c1pol361.com
road-to-dominikana.biz	casas-curckos.com
adventureseller.com	skaoow-loyal.xyz

3. IP

http://91.207.60.68:80	http://88.150.175.102:443
http://69.195.129.72:80	http://31.131.17.127:443
http://82.163.78.188:443	http://95.215.45.228:443
http://89.46.103.42:443	http://37.235.54.48:443
http://204.155.30.100:443	http://194.146.180.40:80
http://179.43.140.82:443	http://66.55.133.86:80
http://88.198.184.241:700	http://89.144.14.65:80
http://83.166.234.250:443	http://185.180.198.2:443
http://87.98.217.9:443	http://194.146.180.44:80
http://94.156.77.149:80	http://209.222.30.5:443
http://31.7.61.136:443	http://108.61.197.254:80
http://204.155.30.87:443	http://216.170.116.120:443
http://151.80.8.10:443	http://162.221.183.109:443
http://31.131.17.128:443	http://217.12.203.194:443
http://107.161.159.17:443	http://62.75.218.45:80
http://46.165.228.24:443	http://78.128.92.29:443
http://87.98.153.34:443	http://216.170.117.88:443
http://5.199.169.188:443	http://192.52.167.137:443
http://185.10.56.59:443	http://87.236.210.109:443
http://141.255.167.28:443	http://188.138.98.105:700

FIN7 Tactics, Techniques and Procedures

Tactic	Technique
Initial Access	Spear Phishing Attachment (T1566.001)
Execution	Component Object Model and Distributed COM (T1021.003) Execution through API (T0871) PowerShell (T1059.001) Service Execution (T1569.002) User Execution (T1204) Windows Management Instrumentation (T1047)
Persistence	New Service (T1543.003) Registry Run Keys / StartupFolder (T1547) Valid Accounts (T1078)
Privilege Escalation	Bypass User Account Control (T1548) New Service (T1543.003) Valid Accounts (T1078)
Defense Evasion	Code Signing (T1553) Deobfuscate/Decode Files or Information (T1140) Masquerading (T1036) Obfuscated Files or Information (T1027) Process Injection (T1055) Software Packing (T1027)
Credential Access	Credential Dumping (T1003) Input Capture (T1056)
Discovery	Application Window Discovery (T1010) Process Discovery (T1057) Remote System Discovery (T1018) System Network ConfigurationDiscovery (T1016) System Owner/User Discovery (T1033)
Lateral Movement	Remote Desktop Protocol (T1021.001) Windows Admin Shares (T1021.002)
Collection	Data from Local System (T1005) Input Capture (T1056) Screen Capture (T1113)
Command & Control (C2)	Commonly Used Port (T1436) Connection Proxy (T1090) Standard Application LayerProtocol (T1071) Standard Cryptographic Protocol (T1521)
Exfiltration	Exfiltration Over Command andControl Channel (T1041)