FireEye experts found source code for CARBANAK malware on VirusTotal

Pierluigi Paganini April 23, 2019

Cybersecurity researchers from FireEye revealed that the Carbanak source code has been available on VirusTotal for two years, and none noticed it before.

Researchers at FireEye discovered that the Carbanak source code has been available on VirusTotal for two years, but it was not noticed before.

The Carbanak gang (aka FIN7, Anunak or Cobalt) stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks, other financial institutions, restaurants, and other industries.

CARBANAK cybercrime gang was first uncovered in 2014 by Kaspersky Lab that dated its activity back to 2013 when the group leveraged the Anunak malware in targeted attacks on financial institutions and ATM networks. Between 2014 and 2016 the group used a new custom malware dubbed Carbanak that is considered a newer version of Anunak.

Starting from 2016 the group developed a new custom malware using Cobalt Strike, a legitimate penetration testing framework.


The experts discovered the source code, builders, and some previously unknown plugins in two different RAR archives.

The two archives were both uploaded two years ago from the same Russian IP address.

“On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie).” reads a blog post published by FireEye.

“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. Our goal was to find threat intelligence we missed in our previous analyses.”

Last year, law enforcement arrested between January and June three Ukrainian suspects, Dmytro Fedorov, Fedir Hladyr, and Andrii Kopakov.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial.  Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain.  The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Carbanak, Russia)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment