The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.

Home  >  Enterprise Carbanak+FIN7 Overview



Enterprise Evaluation 2021
  • Call For Participation
  • Evaluating
  • Preparing
  • Published
ATT&CK Description

Carbanak  is a threat group that mainly targets banks. It also refers to malware of the same name (Carbanak). It is sometimes referred to as FIN7, but these appear to be two groups using the same Carbanak malware and are therefore tracked separately. [1][2]

FIN7 is a financially-motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since mid-2015. They often use point-of-sale malware. A portion of FIN7 was run out of a front company called Combi Security. [2][3][4][5]

Emulation Notes

These groups carry a firm reputation of utilizing innovative tradecraft. Efficient espionage and stealth are at the forefront of their strategy, as they often rely heavily on scripting, obfuscation, “hiding in plain sight,” and fully exploiting the users behind the machine while pillaging an environment. They also leverage a unique spectrum of operational utilities, spanning both sophisticated malware as well as legitimate administration tools capable of interacting with various platforms (Windows and Linux, including point-of-sale specific technologies).


Operational Flow


Carbanak Scenario: This scenario begins with a legitimate user executing a malicious payload delivered via spearphishing attacks targeting financial institutions. Following initial compromise, Carbanak expands access to other hosts through privilege escalation, credential access, and lateral movement with the goal of compromising money processing services, automated teller machines, and financial accounts. As Carbanak compromises potentially valuable targets, they establish persistence so that they can learn the financial organization's internal procedures and technology. Using this information, Carbanak transfers funds to bank accounts under their control, completing their mission.

FIN7 Scenario: This scenario emulates FIN7 targeting a hotel manager network to gain access to credit card information. The scenario begins with FIN7 achieving initial access to the network after an unwitting user executes a malicious .LNK file. FIN7 then pivots to a privileged IT administrator workstation. From this system, FIN7 keylogs credentials needed to access an accounting workstation. FIN7 then pivots to the accounting workstation, establishes persistence, and deploys malware to scrape credit card information from process memory.

Additional Resources:

Operational Flow (Carbanak)

Operational Flow (FIN7)

Technique Scope

For the Carbanak and FIN7 evaluation, 65 ATT&CK techniques across 11 ATT&CK tactics are in scope for this evaluation. This includes 12 ATT&CK techniques across 7 ATT&CK tactics that are in scope for the Linux portion of the Carbanak evaluation. The Impact tactic is out of scope for this evaluation.

You can view the in scope Techniques for the Carbanak+FIN7 evaluation in the ATT&CK Navigator by checking out the layer file we made available here. A preview is shown below! The Techniques in scope attributed specifically to Carbanak are highlighted in blue, attributed specifically to FIN7 in red, and both Carbanak and FIN7 in yellow.

To see additional details on the scope, including the scope for the Linux portion of the Carbanak evaluation click here.


Figure 1: Carbanak + FIN7 Evaluation Environment (Updated 4/20/2020)

The evaluations were performed in Microsoft Azure Cloud. Each vendor was provided with two identical environments consisting of eight hosts each on which to install their client software. These two environments were used for the detection-only and protection tests, respectively. The vendors also had the option of installing server software onto a virtual machine (VM) already in the environment or importing a VM if necessary. By default, the Azure VMs were Standard B4MS, each with four vCPUs and 16GB memory. Each vendor had full and complete administrative access to the hosts instantiated for them.

VPN access enabled connectivity to the environment, and passwords were shared via out-of-band methods. There was one VPN server per environment and vendors then used RDP or SSH elsewhere within the environment. Hosts were reachable only within the VPN. They did not have public IP addresses assigned to them via Azure, but they were able to access the Internet.

Learn More: Environment Page

Detection and Protection Categories

Vendors use their own terminology and approaches to detect and protect potential adversary behavior. They provide this information to us in their unique way, and then it is our responsibility to abstract the data using categories to talk about the products in similar ways.

These categories are divided into two types: “Main” and “Modifier.” Each detection or protection receives one main category designation, which relates to the amount of context provided to the user, and may optionally receive one or more modifier category designations that help describe the event in more detail. For the Carbanak+FIN7 evaluation, there are six main detection categories representing the amount of context provided to the analyst, and three main protection categories.

You can learn more about our process for processing detections here.

Learn More: Detection Categories Page

Learn More: Protection Categories Page

Additional Resources

The following links provide more context to this round: