Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Carbanak Hackers Use Shims for Process Injection, Persistence

Recent attacks associated with the financially-motivated threat group FIN7 were using an application shim database to achieve persistence on systems, FireEye security researchers discovered.

Recent attacks associated with the financially-motivated threat group FIN7 were using an application shim database to achieve persistence on systems, FireEye security researchers discovered.

The actor, also referred to as the “Carbanak Group,” has been active since 2015, and was associated with multiple incidents in 2017, in some of which the Carbanak backdoor was used. The group is believed to have hit hundreds of financial organizations worldwide, and to have stolen upwards of $1 billion.

Earlier this year, FIN7 was observed using a new PowerShell backdoor dubbed POWERSOURCE in a series of fileless attacks that were eventually associated with an attack framework used by other cybercriminals. Last month, the group was said to have adopted new phishing techniques.

FireEye now says that the group is using a “shim” to inject a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawn a Carbanak backdoor process. The same technique is used to install a payment card harvesting utility for persistent access, the security firm said.

Shims are small patches that application developers can create through the Windows Application Compatibility Infrastructure, and are mainly used for compatibility purposes for legacy applications. Designed for legitimate use, shims can intercept APIs (via hooking), change the parameters passed, handle the operation itself, or redirect the operation elsewhere, and can be abused for malicious purposes.

As part of their attack, the FIN7 hackers used a custom Base64 encoded PowerShell script to run the sdbinst.exe utility and register a custom shim database file (SDB) containing a patch. Next, they wrote an “.sdb” file to the 64-bit shim database default directory, and create specific registry keys for the shim database, which had the description “Microsoft KB2832077.”

The SDB file could patch both the 32-bit and the 64-bit versions of “services.exe” with the Carbanak payload when the process was executed at startup and contained shellcode for the first stage loader. This linked to a second stage shellcode that launched the Carbanak DLL, which spawned an instance of Service Host (svchost.exe) and injected itself into it. 

To stay protected, organizations are advised to monitor their environments for new shim database files created in the default shim database directories (C:WindowsAppPatchCustom and C:WindowsAppPatchCustomCustom64) and for registry key creation and/or modification events for HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsCustom and HKLMSOFTWAREMicrosoftWindows NTCurrentVersionAppCompatFlagsInstalledSDB. They should also monitor process execution events and command line arguments for malicious use of the sdbinst.exe utility, FireEye said.

Related: FIN7 Hackers Change Phishing Techniques

Related: Recent Fileless Attacks Linked to Single Framework, Researchers Say

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.