Source code for Carberp financial malware is up for sale at a very low price, researchers say

This will likely result in other banking Trojan programs being created, researchers from Group-IB said

The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.

A person believed to be a member of the Carberp gang announced on an underground forum that he's willing to sell the source code for the Trojan program and its additional components for US$5,000, Andrey Komarov, Group-IB's head of international projects, said Tuesday via email.

That's a very low price, considering that earlier this year the Carberp gang was offering the builder application that can be used to generate customized copies of the Trojan program for $40,000. Compiled-to-order variants of the malware were also being offered on a monthly subscription-based model with prices ranging between $2,000 and $10,000 depending on the number of additional modules included.

Komarov estimates that the source code itself would normally be worth between $50,000 and $70,000.

Carberp started out in 2010 as a private, not-for-sale, Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.

For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.

Some individuals were arrested in the past for their involvement in Carberp operations, Komarov said. Right now there are approximately 12 active members within the Carberp gang, most of them from Ukraine and Russia, but some living in European Union countries, he said.

The group is also known to have hired outside developers to create additional modules for the malware. For example, Chinese hackers were hired to create a bootkit -- a boot-level rootkit -- component that can be used with the Trojan program.

Komarov believes that the sale offer for the source code is caused by a conflict within the Carberp group. The person offering the code for $5,000 uses the nickname madeinrm and claims that he'd love to sell it because another gang member known online as batman, who used to handle support operations for the gang's customers, already sold the source code to others, Komarov said.

The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called "Web inject" scripts that allow the malware to interact with different online banking websites.

Komarov expects the sale of Carberp source code to ultimately result in new banking malware based on it, similar to what happened in the case of the ZeuS banking Trojan, whose source code was leaked on file-sharing websites.

The seller likely intends to quit the team and move on to other projects, Komarov said. There are past examples of malware developers giving up on their creations and canceling their identities on cybercrime forums, he said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Group-IBsecurityspywaremalwarefraud

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Breitling Superocean Heritage Chronographe 44

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?