{ "id": "f5749fda-0397-4319-8718-c50a2797c742", "created_at": "2026-04-06T00:16:23.697878Z", "updated_at": "2026-04-10T13:12:01.180525Z", "deleted_at": null, "sha1_hash": "45f6f8e4083506c34159f31c2fefd1d93e9b590b", "title": "CARBANAK Week Part One: A Rare Occurrence", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2711433, "plain_text": "CARBANAK Week Part One: A Rare Occurrence\r\nBy Mandiant\r\nPublished: 2019-04-22 · Archived: 2026-04-05 12:43:42 UTC\r\nWritten by: Michael Bailey, James T. Bennett\r\nIt is very unusual for FLARE to analyze a prolifically-used, privately-developed backdoor only to later have the\r\nsource code and operator tools fall into our laps. Yet this is the extraordinary circumstance that sets the stage for\r\nCARBANAK Week, a four-part blog series that commences with this post (Part Two, Part Three and Part Four are\r\nout now).\r\nCARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in\r\nfinancial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry Vengerik published\r\nBehind the CARBANAK Backdoor, which was the product of a deep and broad analysis of CARBANAK samples\r\nand FIN7 activity across several years. On the heels of that publication, our colleague Nick Carr uncovered a pair\r\nof RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal:\r\nkb3r1p and apwmie).\r\nFLARE malware analysis requests are typically limited to a few dozen files at most. But the CARBANAK source\r\ncode was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. Our goal was to find threat\r\nintelligence we missed in our previous analyses. How does an analyst respond to a request with such breadth and\r\nopen-ended scope? And what did we find?\r\nMy friend Tom Bennett and I spoke about this briefly in our 2018 FireEye Cyber Defense Summit talk, Hello,\r\nCarbanak! In this blog series, we will expound at length and share a written retrospective on the inferences drawn\r\nin our previous public analysis based on binary code reverse engineering. In this first part, I’ll discuss Russian\r\nlanguage concerns, translated graphical user interfaces of CARBANAK tools, and anti-analysis tactics as seen\r\nfrom a source code perspective. We will also explain an interesting twist where analyzing the source code\r\nsurprisingly proved to be just as difficult as analyzing the binary, if not more. There’s a lot here; buckle up!\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 1 of 12\n\nFile Encoding and Language Considerations\r\nThe objective of this analysis was to discover threat intelligence gaps and better protect our customers. To begin, I\r\nwanted to assemble a cross-reference of source code files and concepts of specific interest.\r\nReading the source code entailed two steps: displaying the files in the correct encoding, and learning enough\r\nRussian to be dangerous. Figure 1 shows CARBANAK source code in a text editor that is unaware of the correct\r\nencoding.\r\nFigure 1: File without proper decoding\r\nTwo good file encoding guesses are UTF-8 and code page 1251 (Cyrillic). The files were mostly code page 1251\r\nas shown in Figure 2.\r\nFigure 2: Code Page 1251 (Cyrillic) source code\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 2 of 12\n\nFigure 2 is a C++ header file defining error values involved in backdoor command execution. Most identifiers\r\nwere in English, but some were not particularly descriptive. Ergo, the second and more difficult step was learning\r\nsome Russian to benefit from the context offered by the source code comments.\r\nFLARE has fluent Russian speakers, but I took it upon myself to minimize my use of other analysts’ time. To this\r\nend, I wrote a script to tear through files and create a prioritized vocabulary list. The script, which is available in\r\nthe Mandiant vocab_scraper GitHub repository, walks source directories finding all character sequences outside\r\nthe printable lower ASCII range: decimal values 32 (the space character) through 126 (the tilde character “~”)\r\ninclusive. The script adds each word to a Python defaultdict_ and increments its count. Finally, the script orders\r\nthis dictionary by frequency of occurrence and dumps it to a file.\r\nThe result was a 3,400+ word vocabulary list, partially shown in Figure 3.\r\nFigure 3: Top 19 Cyrillic character sequences from the CARBANAK source code\r\nI spent several hours on Russian language learning websites to study the pronunciation of Cyrillic characters and\r\nRussian words. Then, I looked up the top 600+ words and created a small dictionary. I added Russian language\r\ninput to an analysis VM and used Microsoft’s on-screen keyboard (osk.exe) to navigate the Cyrillic keyboard\r\nlayout and look up definitions.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 3 of 12\n\nOne helpful effect of learning to pronounce Cyrillic characters was my newfound recognition of English loan\r\nwords (words that are borrowed from English and transliterated to Cyrillic). My small vocabulary allowed me to\r\nread many comments without looking anything up. Table 1 shows a short sampling of some of the English loan\r\nwords I encountered.\r\nCyrillic English Phonetic English Occurrences Rank\r\nФайл f ah y L file 224 5\r\nсервер s e r v e r server 145 13\r\nадрес a d r e s address 52 134\r\nкоманд k o m a n d command 110+ 27\r\nбота b o t a bot 130 32\r\nплагин p l ah g ee n plugin 116 39\r\nсервис s e r v ee s service 70 46\r\nпроцесс p r o ts e s s process 130ish 63\r\nTable 1: Sampling of English loan words in the CARBANAK source code\r\nAside from source code comments, understanding how to read and type in Cyrillic came in handy for translating\r\nthe CARBANAK graphical user interfaces I found in the source code dump. Figure 4 shows a Command and\r\nControl (C2) user interface for CARBANAK that I translated.\r\nFigure 4: Translated C2 graphical user interface\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 4 of 12\n\nThese user interfaces included video management and playback applications as shown in Figure 5 and Figure 6\r\nrespectively. Tom will share some interesting work he did with these in a subsequent part of this blog series.\r\nFigure 5: Translated video management application user interface\r\nFigure 6: Translated video playback application user interface\r\nFigure 7 shows the backdoor builder that was contained within the RAR archive of operator tools.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 5 of 12\n\nFigure 7: Translated backdoor builder application user interface\r\nThe operator RAR archive also contained an operator’s manual explaining the semantics of all the backdoor\r\ncommands. Figure 8 shows the first few commands in this manual, both in Russian and English (translated).\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 6 of 12\n\nFigure 8: Operator manual (left: original Russian; right: translated to English)\r\nDown the Rabbit Hole: When Having Source Code Does Not Help\r\nIn simpler backdoors, a single function evaluates the command ID received from the C2 server and dispatches\r\ncontrol to the correct function to carry out the command. For example, a backdoor might ask its C2 server for a\r\ncommand and receive a response bearing the command ID 0x67. The dispatch function in the backdoor will check\r\nthe command ID against several different values, including 0x67, which as an example might call a function to\r\nshovel a reverse shell to the C2 server. Figure 9 shows a control flow graph of such a function as viewed in IDA\r\nPro. Each block of code checks against a command ID and either passes control to the appropriate command\r\nhandling code, or moves on to check for the next command ID.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 7 of 12\n\nFigure 9: A control flow graph of a simple command handling function\r\nIn this regard, CARBANAK is an entirely different beast. It utilizes a Windows mechanism called named pipes as\r\na means of communication and coordination across all the threads, processes, and plugins under the backdoor’s\r\ncontrol. When the CARBANAK tasking component receives a command, it forwards the command over a named\r\npipe where it travels through several different functions that process the message, possibly writing it to one or\r\nmore additional named pipes, until it arrives at its destination where the specified command is finally handled.\r\nCommand handlers may even specify their own named pipe to request more data from the C2 server. When the C2\r\nserver returns the data, CARBANAK writes the result to this auxiliary named pipe and a callback function is\r\ntriggered to handle the response data asynchronously. CARBANAK’s named pipe-based tasking component is\r\nflexible enough to control both inherent command handlers and plugins. It also allows for the possibility of a local\r\nclient to dispatch commands to CARBANAK without the use of a network. In fact, not only did we write such a\r\nclient to aid in analysis and testing, but such a client, named botcmd.exe, was also present in the source dump.\r\nTom’s Perspective\r\nAnalyzing this command-handling mechanism within CARBANAK from a binary perspective was certainly\r\nchallenging. It required maintaining tabs for many different views into the disassembly, and a sort of textual map\r\nof command ids and named pipe names to describe the journey of an inbound command through the various pipes\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 8 of 12\n\nand functions before arriving at its destination. Figure 10 shows the control flow graphs for seven of the named\r\npipe message handling functions. While it was difficult to analyze this from a binary reverse engineering\r\nperspective, having compiled code combined with the features that a good disassembler such as IDA Pro provides\r\nmade it less harrowing than Mike’s experience. The binary perspective saved me from having to search across\r\nseveral source files and deal with ambiguous function names. The disassembler features allowed me to easily\r\nfollow cross-references for functions and global variables and to open multiple, related views into the code.\r\nFigure 10: Control flow graphs for the named pipe message handling functions\r\nMike’s Perspective\r\nHaving source code sounds like cheat-mode for malware analysis. Indeed, source code contains much information\r\nthat is lost through the compilation and linking process. Even so, CARBANAK’s tasking component (for handling\r\ncommands sent by the C2 server) serves as a counter-example. Depending on the C2 protocol used and the\r\ncommand being processed, control flow may take divergent paths through different functions only to converge\r\nagain later and accomplish the same command. Analysis required bouncing around between almost 20 functions\r\nin 5 files, often backtracking to recover information about function pointers and parameters that were passed in\r\nfrom as many as 18 layers back. Analysis also entailed resolving matters of C++ class inheritance, scope\r\nambiguity, overloaded functions, and control flow termination upon named pipe usage. The overall effect was that\r\nthis was difficult to analyze, even in source code.\r\nI only embarked on this top-to-bottom journey once, to search for any surprises. The effort gave me an\r\nappreciation for the baroque machinery the authors constructed either for the sake of obfuscation or flexibility. I\r\nfelt like this was done at least in part to obscure relationships and hinder timely analysis.\r\nAnti-Analysis Mechanisms in Source Code\r\nCARBANAK’s executable code is filled with logic that pushes hexadecimal numbers to the same function,\r\nfollowed by an indirect call against the returned value. This is easily recognizable as obfuscated function import\r\nresolution, wherein CARBANAK uses a simple string hash known as PJW (named after its author, P.J.\r\nWeinberger) to locate Windows API functions without disclosing their names. A Python implementation of the\r\nPJW hash is shown in Figure 11 for reference.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 9 of 12\n\ndef pjw_hash(s):\r\n ctr = 0\r\n for i in range(len(s)):\r\n ctr = 0xffffffff \u0026 ((ctr \u003c\u003c 4) + ord(s[i]))\r\n if ctr \u0026 0xf0000000:\r\n ctr = (((ctr \u0026 0xf0000000) \u003e\u003e 24) ^ ctr) \u0026 0x0fffffff\r\n return ctr\r\nFigure 11: PJW hash\r\nThis is used several hundred times in CARBANAK samples and impedes understanding of the malware’s\r\nfunctionality. Fortunately, reversers can use the flare-ida scripts to annotate the obfuscated imports, as shown in\r\nFigure 12.\r\nFigure 12: Obfuscated import resolution annotated with FLARE's shellcode hash search\r\nThe CARBANAK authors achieved this obfuscated import resolution throughout their backdoor with relative ease\r\nusing C preprocessor macros and a pre-compilation source code scanning step to calculate function hashes. Figure\r\n13 shows the definition of the relevant API macro and associated machinery.\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 10 of 12\n\nFigure 13: API macro for import resolution\r\nThe API macro allows the author to type API(SHLWAPI, PathFindFileNameA)(…) and have it replaced with\r\nGetApiAddrFunc(SHLWAPI, hashPathFindFileNameA)(…). SHLWAPI is a symbolic macro defined to be the\r\nconstant 3, and hashPathFindFileNameA is the string hash value 0xE3685D1 as observed in the disassembly. But\r\nhow was the hash defined?\r\nThe CARBANAK source code has a utility (unimaginatively named tool) that scans source code for invocations\r\nof the API macro to build a header file defining string hashes for all the Windows API function names encountered\r\nin the entire codebase. Figure 14 shows the source code for this utility along with its output file, api_funcs_hash.h.\r\nFigure 14: Source code and output from string hash utility\r\nWhen I reverse engineer obfuscated malware, I can’t help but try to theorize about how authors implement their\r\nobfuscations. The CARBANAK source code gives another data point into how malware authors wield the\r\npowerful C preprocessor along with custom code scanning and code generation tools to obfuscate without\r\nimposing an undue burden on developers. This might provide future perspective in terms of what to expect from\r\nmalware authors in the future and may help identify units of potential code reuse in future projects as well as rate\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 11 of 12\n\ntheir significance. It would be trivial to apply this to new projects, but with the source code being on VirusTotal,\r\nthis level of code sharing may not represent shared authorship. Also, the source code is accessibly instructive in\r\nwhy malware would push an integer as well as a hash to resolve functions: because the integer is an index into an\r\narray of module handles that are opened in advance and associated with these pre-defined integers.\r\nConclusion\r\nThe CARBANAK source code is illustrative of how these malware authors addressed some of the practical\r\nconcerns of obfuscation. Both the tasking code and the Windows API resolution system represent significant\r\ninvestments in throwing malware analysts off the scent of this backdoor. Check out Part Two of this series for a\r\nround-up of antivirus evasions, exploits, secrets, key material, authorship artifacts, and network-based indicators.\r\nPart Three and Part Four are available now as well!\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nhttps://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html" ], "report_names": [ "carbanak-week-part-one-a-rare-occurrence.html" ], "threat_actors": [ { "id": "c9617bb6-45c8-495e-9759-2177e61a8e91", "created_at": "2022-10-25T15:50:23.405039Z", "updated_at": "2026-04-10T02:00:05.387643Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Carbanak", "Anunak" ], "source_name": "MITRE:Carbanak", "tools": [ "Carbanak", "Mimikatz", "PsExec", "netsh" ], "source_id": "MITRE", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "d85adfe3-e1c3-40b0-b8bb-d1bacadc4d82", "created_at": "2022-10-25T16:07:23.619566Z", "updated_at": "2026-04-10T02:00:04.690061Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "APT-C-11", "ATK 32", "G0046", "Gold Niagara", "GrayAlpha", "ITG14", "TAG-CR1" ], "source_name": "ETDA:FIN7", "tools": [ "7Logger", "Agentemis", "Anubis Backdoor", "Anunak", "Astra", "BIOLOAD", "BIRDWATCH", "Bateleur", "Boostwrite", "CROWVIEW", "Carbanak", "Cobalt Strike", "CobaltStrike", "DICELOADER", "DNSMessenger", "FOWLGAZE", "HALFBAKED", "JSSLoader", "KillACK", "LOADOUT", "Lizar", "Meterpreter", "Mimikatz", "NetSupport", "NetSupport Manager", "NetSupport Manager RAT", "NetSupport RAT", "NetSupportManager RAT", "POWERPLANT", "POWERSOURCE", "RDFSNIFFER", "Ragnar Loader", "SQLRAT", "Sardonic", "Sekur", "Sekur RAT", "TEXTMATE", "Tirion", "VB Flash", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434583, "ts_updated_at": 1775826721, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/45f6f8e4083506c34159f31c2fefd1d93e9b590b.pdf", "text": "https://archive.orkl.eu/45f6f8e4083506c34159f31c2fefd1d93e9b590b.txt", "img": "https://archive.orkl.eu/45f6f8e4083506c34159f31c2fefd1d93e9b590b.jpg" } }