Russian Federation, Ukraine
Carbanak, GOLD KINGSWOOD, FIN7
Carbon Spider is a highly skilled criminal group that primarily targeted the hospitality and retail sectors in pursuit of payment card data.
Active since 2013, the group originally targeted Russian financial institutions, but began to expand their targeting profile in December 2015 to the Middle-East, Europe and the U.S. In mid-2016, indications emerged that the group compromised the cloud-based software solution, Oracle MICROS, which could have been used to conduct malicious operations on users of that solution in the hospitality and retail sectors.
In 2016, part of the group split off to form Cobalt Spider and continue to focus on the financial sector. Carbon Spider primarily relies on spear phishing emails delivering exploit documents, macro documents, or downloader scripts to deliver the custom Harpy backdoor. The adversary uses Harpy to enable persistent access and previously deployed Point-of-Sale (PoS) malware, such as SuperSoft, to harvest card data.
As of June 2020, Carbon Spider has been conducting Big Game Hunting ransomware campaigns. The adversary has used REvil and Darkside for this purpose. In November 2020, Carbon Spider introduced a ransomware-as-a-service (RaaS) affiliate program for Darkside.
- Spear phishing campaigns deliver macro-enabled Microsoft Office documents; documents often password-protected
- Have used spear phishing links to Google Docs pages containing redirects to downloaders hosted on Microsoft Sharepoint
- Harpy is primary backdoor of choice; Sekur also remains in use and is typically loaded into memory with a proprietary loader
- Introduced embedded child documents to droppers in November 2019
United Arab Emirates
- Consumer Goods
- Food and Beverage
- Industrials and Engineering
- Real Estate
- State & Municipal Government