Pierluigi Paganini December 17, 2012

During the last week introduced you the excellent work done by the Group-IB, a security firm resident of the Moscow-based Skolkovo Foundation that has received a grant in the amount of 30m rubles (approximately $966,000) for the development of a global counter-cybercrime system named the CyberCop.

It was for me the opportunity to receive many interesting information of the evolution of cybercrime phenomena … today I desire to propose a exclusive… Banking trojan «Carberp is back again and Group-IB researchers have provided me the evidences.

Threat Intelligence Team discovered that after big pause Carberp sales were reborn in underground, which means that massive wave of online-banking thefts will begin close to New Year time.

The most interesting is new bootkit module, the price of which is 40 000 USD or 10 000 USD on rent per month. It helps to infect MBR record which means that the hacker will have long term opportunity to control the victim without antivirus notifications.

The new thread from Carberp vendor on one of private underground forums called «verified.ms» was created for anonymization the seller uses GPG-key and Jabber contact.

The malware sellers started to use new scheme of Carberp sales by the opportunity of its rent, which was popular in selling of very qualified written and professional banking malware from very old famous underground networks called «RATNET» (valenok and htum were one the most famous vendors of professional private banking spyware for US and Canadian banks).

The sales model known as “malware as a service” is very dangerous because it open the doors to ordinary crime that without particular knowledge could move serious attacks against banking systems.

Sellers also started to provide special service of individual «web-injects» development for major US and CA banks such as WellsFargo, Citi, JP Morgan Chase, Bank of America, TD Bank and many others.  Previously, Zeus and SpyEye, the Carberp Trojan program is primarily used to target online banking customers from Russia and other Russian-speaking countries like Ukraine, Belarus or Kazakhstan.

In June 2012, Group-IB provided assistance with forensic investigation and analysis to the Ministry of the Interior, and ESET researchers helped with the analysis of malicious software used by the Carberp gang, after which six more gang members held (http://blog.eset.com/2012/06/04/carberp-and-hodprot-six-more-gang-members-held).

It must be considered that banking system is a vital component of any countries, it represents a critical infrastructure that governments have to preserve with a proper cyber strategy.

Cyber criminals, but also hacktivists, state-sponsored hackers and cyber terrorists could be interested to attack banking for various purposes, for this reason it is crucial the monitoring of cyber underground and the detecting of initiative such as the one described in this article to not be caught unprepared by the cyber threat … we cannot afford it.

Pierluigi Paganini