The source code of the infamous Carbanak banking malware was discovered uploaded on VirusTotal. More precisely, security researchers from FireEye say that they found the malware’s source code, builders, and some unknown plugins in two RAR archives that were uploaded on VirusTotal some two years ago from a Russian IP address.
What did the researchers say about the unusual discovery?
CARBANAK is one of the most full-featured backdoors around. It was used to perpetrate millions of dollars in financial crimes, largely by the group we track as FIN7. In 2017, Tom Bennett and Barry Vengerik published Behind the CARBANAK Backdoor, which was the product of a deep and broad analysis of CARBANAK samples and FIN7 activity across several years. On the heels of that publication, our colleague Nick Carr uncovered a pair of RAR archives containing CARBANAK source code, builders, and other tools (both available in VirusTotal: kb3r1p and apwmie).
The code analysis required two steps – displaying the files in the correct encoding and learning some Russian. It should be noted that the malware’s source code was 20MB in size consisting of 755 files, with 39 binaries and 100,000 lines of code. FireEye researchers plan to release a 4-part series of articles dedicated to Carbanak’s features and analysis based on the source code and reverse engineering.
More about Carbanak
The malware was discovered in 2014 by Kaspersky Lab researchers. The cybercriminals behind it have proven to be quite capable, initiating multiple successful attacks while avoiding detection. In retrospect, the criminal group first started its malicious campaigns about six years ago using Anunak and Carbanak in attacks against banks and ATM networks.
The criminals succeeded in stealing more than a billion euros from at least 100 international banks.
In 2015, the banking malware targeted Europe and USA in phishing scams. This specific version of Carbanak was digitally signed using Comodo.
According to European authorities, the Carbanak criminal group at some point developed another sophisticated banking trojan called Cobalt. Many experts linked the Cobalt attacks to a hacking group with long criminal history related to such attacks. The Cobalt group is the one which was behind the attacks conducted against Russian banks in 2015 and 2016.