Carberp banking Trojan source code for sale at $5K in the underground

Security firm Group-IB has discovered on an forum in the underground the sale for Carberp banking Trojan source code at $5K.

Carberp banking Trojan is experiencing a new youth in the underground, in the last months investigation at security firm Group-IB have identified in an underground forum the resumption of sale for the malware.

The version proposed on the black market in December 2012 was equipped with a new bootkit module, the price of which was 40 000 USD or 10 000 USD on rent per month.

Carberp was detected for the first time around three years ago, it was considered a valid alternative for most popular banking trojan such as Zeus and SpyEye.

The module allow the infection of MBR record, an essential functionality for cyber criminals that could control the victim without antivirus notifications for a long time.

In June 2012, Group-IB provided assistance with forensic investigation and analysis to the Ministry of the Interior, and ESET researchers helped with the analysis of malicious software used by the Carberp gang, after which six more gang members held ().

The malware sellers started to use new scheme of Carberp banking Trojan sales by the opportunity of its rent, which was popular in selling of very qualified written and professional banking malware from very old famous underground networks called «RATNET» (valenok and htum were one the most famous vendors of professional private banking spyware for US and Canadian banks).

The sales model known as “malware as a service” is very dangerous because it open the doors to ordinary crime that without particular knowledge could move serious attacks against banking systems.

Sellers also started to provide special service of individual «web-injects» development for major US and CA banks such as WellsFargo, Citi, JP Morgan Chase, Bank of America, TD Bank and many others.

The activities noted in the underground after a big pause induced security experts to expect a new massive wave of online-banking thefts for 2013. The situation appears today very concerning, cyber criminals are now selling the source code for the Carberp banking Trojan toolkit through underground forums for $5,000 a pop.

The toolkit offered by criminals includes the full source code for the Carberp banking Trojan, curious that the code appears complete also of the author’s comments. The package released for Carberp banking Trojan toolkit includes:

• Web-injects
• All the modules including the worm module (Gazavar) and a bootkit module
• The admin panel for C&C.
• Windows exploits for patched vulnerabilities  (e.g. CVE-2012-1864 and CVE-2012-0217);

It seems that there are frictions within the community that developed the malware, the forum user dubbed “madeinrm” offering the source code for sale because another user with the nickname “batman” had already passed the code to a third party.

According Madeinrm, batman is trying to collect information on potential clients but its real intention is to sell the Carberp banking Trojan source code at a higher price to a restricted number of customers.

 

Despite Russian law enforcement arrested various cyber criminals who used the cover-up for their banking frauds. Group-IB analysts believe that currently the core group of Carberp gang is composed of around 12 members, the majority of them located in East Europe (Ukraine and Russia) but they think also to another cell that is active in the European Union.

I have interviewed Andrey Komarov, the head of international projects at  Andrey Komarov of Group-IB asking more detail on the Carberp banking Trojan and the possible effect for the release on the market of its source code, an event that brings together the history of this malicious code to that of Zeus.

Mr Komarov could you explain the effects for release of source code related to Carpben in the criminal underground?  Can we hypothesize an increase of its popularity exactly as happened for Zeus in the past?

The project will be dead or renewed with some improvements. The release for source code will give the opportunity of cybercriminal to customize the agent according to their need. Of course it is also an opportunity for security firm to analyze it in depth.

You told that there is a “conflict within the team” [of authors] … Could you give to the readers more info?

Yes, right, because of support of Carberp who managed sales and tech support sold source codes without knowledge of the whole team before.

Do you believe that coders are “even sub-contracting” part of the source code?

Right, this is a consolidated practice, specially when a team of malware coders works on different projects, such as Carberp, SpyEye and etc., that’s why after that a project is finalized they can easily move to own or other projects.

What do you expect from next version of the agent? (e.g. P2P versions, social media spread …)

New methods of AV bypass, P2P, strengthen DGA, alternative ways of bots communications.

Which is the primary channel of infection for the malware?

Exploit kits and targeted spam (ex.: on accountants) with malicious attachments.

Could you provide to the readers some statistics related to the diffusion of malware? (e.g. Infected host, variant detected, number of banks his?

Over 10 000 000 installations during last 2 years. The number of bank hits is very high because of the flexible web injects engine.

Do you think that actual members of the gang are subcontracting module to other cyber criminals? Which could  be the effect of this collaboration?

Yes, or they have moved to own projects and business.

The investigation of Group-IB expert revealed an intense activity of cybercrime around banking sector, the release of Carberp banking Trojan source code will represent for sure a starting point for new projects for development of new and powerful cyber threats.

Pierluigi Paganini

(Security Affairs – Carberp banking Trojan, cybercrime)