Carbanak Malware

Hunt Hypothesis

Carbanak Malware is likely being used to exfiltrate sensitive data through covert network communication channels. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat activity before significant data loss occurs.

YARA Rule

rule Carbanak_0915_2
{

    meta:
        description = "Carbanak Malware"
        author = "Florian Roth"
        reference = "https://www.csis.dk/en/csis/blog/4710/"
        date = "2015-09-03"
        score = 70

    strings:
        $x1 = "8Rkzy.exe" fullword wide
        $s1 = "Export Template" fullword wide
        $s2 = "Session folder with name '%s' already exists." fullword ascii
        $s3 = "Show Unconnected Endpoints (Ctrl+U)" fullword ascii
        $s4 = "Close All Documents" fullword wide
        $s5 = "Add &Resource" fullword ascii
        $s6 = "PROCEXPLORER" fullword wide /* Goodware String - occured 1 times */
        $s7 = "AssocQueryKeyA" fullword ascii /* Goodware String - occured 4 times */
    condition:
        uint16(0) == 0x5a4d and filesize < 500KB and ( $x1 or all of ($s*) )
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 8 string patterns in its detection logic.

References

• https://www.csis.dk/en/csis/blog/4710/
• Source Rule

False Positive Guidance

• Scenario: Scheduled System Maintenance Task
  Description: A legitimate system maintenance task, such as a Windows Task Scheduler job that runs schtasks.exe to manage or update scheduled tasks, may trigger the rule due to similar command-line activity.
  Filter/Exclusion: Check for schtasks.exe in the process name and filter out events where the command line includes //XML or //QUERY.

• Scenario: Admin Performing Remote Desktop Session
  Description: An administrator using Remote Desktop Protocol (RDP) to access a server may trigger the rule if the session involves command-line execution that resembles Carbanak behavior.
  Filter/Exclusion: Filter events where the process is initiated from a known RDP session (e.g., mstsc.exe or tsclient.exe) or where the user is a domain admin with elevated privileges.

• Scenario: PowerShell Script for Log Management
  Description: A legitimate PowerShell script used for log rotation or system cleanup (e.g., logrotate.exe or PowerShell.exe with Out-File) may be flagged due to similar command-line patterns.
  Filter/Exclusion: Filter events where the command line includes logrotate, Out-File, or Clear-Content, or where the script path is known to be part of the enterprise’s standard toolset.

• Scenario: Antivirus or Endpoint Protection Scan
  Description: A security tool like Microsoft Defender or CrowdStrike Falcon may execute processes that resemble malicious activity during a full system scan.
  Filter/Exclusion: Check for process names like MsMpEng.exe, falcon.exe, or mpcmdrun.exe and exclude events where the process is associated with a known endpoint protection tool.

• Scenario: Database Backup Job Execution
  Description: A scheduled SQL Server