BKDR_CARBERP.XF
TrojanDownloader:Win32/Carberp.A (MICROSOFT), a variant of Win32/TrojanDownloader.Carberp.AM trojan (NOD32)
Windows
Threat Type: Backdoor
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
This backdoor is a new variant of the malware family CARBERP. It downloads and installs new plug-ins from its remote server thus compromising the security of the infected systems
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It executes commands from a remote malicious user, effectively compromising the affected system.
It logs a user's keystrokes to steal information.
TECHNICAL DETAILS
270,336 bytes
Yes
09 Feb 2017
Logs keystrokes, Downloads files, Steals information, Modifies files
Arrival Details
This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Backdoor Routine
This backdoor executes the following commands from a remote malicious user:
- Download, install and update plug-ins
- Remote Desktop Connection
- Capture Screenshots
- Monitor Browsers by form grabbing
- Search words in document files
- Get FTP passwords
- Send and delete cookies
- Download and execute arbitrary files
- Send files to server
- Reboot
Information Theft
This backdoor gathers the following data:
- Gateway
- IP Mask
- IP Address
- Adapter Address
- Adapter Description
- AdapterName
- SecondaryWinsServer
- PrimaryWinsServer
- Lease Obtained
- DHCP Server
- DHCP Enabled
- Bot ID
- Account Name
- Account Password
- Account Balance
- Account Statements
- MAC Address
- Java Installation Information
It logs a user's keystrokes to steal information.
NOTES:
This backdoor downloads the following plug-ins from its command-and-control (C&C) server:
- passw.plug - used to get passwords stored in installed softwares
- docfind.plug - search keywords in documents
- cyberplat.plug - used to monitor CyberPlat
It monitors the following browsers:
- Internet Explorer
- Firefox
- Chrome
- Opera
It uses the following strings for monitoring:
- BBSCBank
- *az_start
- *az_stop
- ibank2.ru
- *://online.payment.ru/juricvalrur/JuridicalClient.html
- *passport.yandex*
- https://*/ibc
- *connect.raiffeisen.ru/rmc*
- *avangard.ru*
- *ibank.alfabank.ru*
- *online.sbank.ru*
It monitors user activity regarding the following banks and banking systems:
- BSS
- Cyberplat
- Ibank
- SBER
Further analysis of this malware reveals that it modifies Java core files such as java.exe and javaw.exe for monitoring.
SOLUTION
9.700
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Scan your computer with your Trend Micro product and note files detected as BKDR_CARBERP.XF
Did this description help? Tell us how we did.