Source code for Carberp financial malware is up for sale at a very low price, researchers say

This will likely result in other banking Trojan programs being created, researchers from Group-IB said

The source code for the Carberp banking Trojan program is being offered for sale on the underground market at a very affordable price, which could result in additional Carberp-based financial malware being developed in the future, according to researchers from Russian cybercrime investigations firm Group-IB.

A person believed to be a member of the Carberp gang announced on an underground forum that he's willing to sell the source code for the Trojan program and its additional components for US$5,000, Andrey Komarov, Group-IB's head of international projects, said Tuesday via email.

That's a very low price, considering that earlier this year the Carberp gang was offering the builder application that can be used to generate customized copies of the Trojan program for $40,000. Compiled-to-order variants of the malware were also being offered on a monthly subscription-based model with prices ranging between $2,000 and $10,000 depending on the number of additional modules included.

Komarov estimates that the source code itself would normally be worth between $50,000 and $70,000.

Carberp started out in 2010 as a private, not-for-sale, Trojan program developed and used by a single gang, but after a limited number of sales of the builder in 2011, the number of Carberp-powered fraud operations multiplied.

For a long time the Trojan program was almost exclusively used to target online banking users from Russia, Ukraine, Belarus, Kazakhstan, Moldova and other former Soviet Union states. However, variants and configuration scripts targeting U.S. and Australian banks were found this year.

Some individuals were arrested in the past for their involvement in Carberp operations, Komarov said. Right now there are approximately 12 active members within the Carberp gang, most of them from Ukraine and Russia, but some living in European Union countries, he said.

The group is also known to have hired outside developers to create additional modules for the malware. For example, Chinese hackers were hired to create a bootkit -- a boot-level rootkit -- component that can be used with the Trojan program.

Komarov believes that the sale offer for the source code is caused by a conflict within the Carberp group. The person offering the code for $5,000 uses the nickname madeinrm and claims that he'd love to sell it because another gang member known online as batman, who used to handle support operations for the gang's customers, already sold the source code to others, Komarov said.

The archive file offered by madeinrm is 5GB in size and allegedly contains the commented source code for Carberp and all of its modules, including the bootkit ones; the source code for the administration panel used on Carberp command-and-control servers; exploits for two Windows privilege escalation vulnerabilities that have been patched in 2012, CVE-2012-0217 and CVE-2012-1864; and so-called "Web inject" scripts that allow the malware to interact with different online banking websites.

Komarov expects the sale of Carberp source code to ultimately result in new banking malware based on it, similar to what happened in the case of the ZeuS banking Trojan, whose source code was leaked on file-sharing websites.

The seller likely intends to quit the team and move on to other projects, Komarov said. There are past examples of malware developers giving up on their creations and canceling their identities on cybercrime forums, he said.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudmalwarespywareGroup-IB

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?