Carberp malware, a financial Trojan, is the precursor to many new malware families such as Sofacy and Bolek. Carberp is an older malware, however, it is well worth our time to review as at it’s time of release it was highly sophisticated.
Carberp was originally a Russian financial Trojan that first appeared in 2010. Carberp cybercrime group was one of the first groups to make massive use of specialist malware designed to target remote banking systems and fraud operations against major Russian banks. During it peak rates of infection many bank were the victims of Carberp fraud.
Carberp malware function via web pages attacks via Man in the Browser and use both via form grabbing and webinjects techniques.
At the time of release Carberp’s sophistication was unparalleled. Carberp has a real ability to drop its primary package during the initial infection then draw multiple other components from the C2 server. During the first steps of execution the dropper opens shared section objects and appends shellcode. Carberp has the ability to then download multiple and additional plugins that add to its functionality.
Carberp modifies banking software on java using the open source libraries. Carberp has many number of components involved in the attack, which are used to hide the infection and to silently download additional encrypted payloads that are then injected stealthily into processes. Additional components are also downloaded using back door encryption methods.
Carberp was revised for the android platform in 2012 – where it’s uptake across the android ecosystem was unparalleled.
Carberp source code was leaked in 2013, where not only source code but management code, UIs, development tools, plugins etc also became available in the public domain.
Over the years Carberp has morphed into many variants and revisions with increased stealth and sophistication. The Carberp source code and functionality has now been used across many other types of newer malware families including Bolek.