Connect with us

Hi, what are you looking for?


Malware & Threats

Carbanak Hackers Use Shims for Process Injection, Persistence

Recent attacks associated with the financially-motivated threat group FIN7 were using an application shim database to achieve persistence on systems, FireEye security researchers discovered.

Recent attacks associated with the financially-motivated threat group FIN7 were using an application shim database to achieve persistence on systems, FireEye security researchers discovered.

The actor, also referred to as the “Carbanak Group,” has been active since 2015, and was associated with multiple incidents in 2017, in some of which the Carbanak backdoor was used. The group is believed to have hit hundreds of financial organizations worldwide, and to have stolen upwards of $1 billion.

Earlier this year, FIN7 was observed using a new PowerShell backdoor dubbed POWERSOURCE in a series of fileless attacks that were eventually associated with an attack framework used by other cybercriminals. Last month, the group was said to have adopted new phishing techniques.

FireEye now says that the group is using a “shim” to inject a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawn a Carbanak backdoor process. The same technique is used to install a payment card harvesting utility for persistent access, the security firm said.

Shims are small patches that application developers can create through the Windows Application Compatibility Infrastructure, and are mainly used for compatibility purposes for legacy applications. Designed for legitimate use, shims can intercept APIs (via hooking), change the parameters passed, handle the operation itself, or redirect the operation elsewhere, and can be abused for malicious purposes.

As part of their attack, the FIN7 hackers used a custom Base64 encoded PowerShell script to run the sdbinst.exe utility and register a custom shim database file (SDB) containing a patch. Next, they wrote an “.sdb” file to the 64-bit shim database default directory, and create specific registry keys for the shim database, which had the description “Microsoft KB2832077.”

The SDB file could patch both the 32-bit and the 64-bit versions of “services.exe” with the Carbanak payload when the process was executed at startup and contained shellcode for the first stage loader. This linked to a second stage shellcode that launched the Carbanak DLL, which spawned an instance of Service Host (svchost.exe) and injected itself into it. 

To stay protected, organizations are advised to monitor their environments for new shim database files created in the default shim database directories (C:WindowsAppPatchCustom and C:WindowsAppPatchCustomCustom64) and for registry key creation and/or modification events for HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsCustom and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB. They should also monitor process execution events and command line arguments for malicious use of the sdbinst.exe utility, FireEye said.

Advertisement. Scroll to continue reading.

Related: FIN7 Hackers Change Phishing Techniques

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.