Analysis by: Francis Xavier Antazo


TrojanDownloader:Win32/Carberp.A (MICROSOFT), a variant of Win32/TrojanDownloader.Carberp.AM trojan (NOD32)




  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: No

  • In the wild: Yes


Infection Channel:

Downloaded from the Internet, Dropped by other malware

This backdoor is a new variant of the malware family CARBERP. It downloads and installs new plug-ins from its remote server thus compromising the security of the infected systems

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

It logs a user's keystrokes to steal information.


File Size:

270,336 bytes

Memory Resident:


Initial Samples Received Date:

09 Feb 2017


Logs keystrokes, Downloads files, Steals information, Modifies files

Arrival Details

This backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Backdoor Routine

This backdoor executes the following commands from a remote malicious user:

  • Download, install and update plug-ins
  • Remote Desktop Connection
  • Capture Screenshots
  • Monitor Browsers by form grabbing
  • Search words in document files
  • Get FTP passwords
  • Send and delete cookies
  • Download and execute arbitrary files
  • Send files to server
  • Reboot

Information Theft

This backdoor gathers the following data:

  • Gateway
  • IP Mask
  • IP Address
  • Adapter Address
  • Adapter Description
  • AdapterName
  • SecondaryWinsServer
  • PrimaryWinsServer
  • Lease Obtained
  • DHCP Server
  • DHCP Enabled
  • Bot ID
  • Account Name
  • Account Password
  • Account Balance
  • Account Statements
  • MAC Address
  • Java Installation Information

It logs a user's keystrokes to steal information.


This backdoor downloads the following plug-ins from its command-and-control (C&C) server:

  • passw.plug - used to get passwords stored in installed softwares
  • docfind.plug - search keywords in documents
  • cyberplat.plug - used to monitor CyberPlat

It monitors the following browsers:

  • Internet Explorer
  • Firefox
  • Chrome
  • Opera

It uses the following strings for monitoring:

  • BBSCBank
  • *az_start
  • *az_stop
  • ibank2.ru
  • *://online.payment.ru/juricvalrur/JuridicalClient.html
  • *passport.yandex*
  • https://*/ibc
  • *connect.raiffeisen.ru/rmc*
  • *avangard.ru*
  • *ibank.alfabank.ru*
  • *online.sbank.ru*

It monitors user activity regarding the following banks and banking systems:

  • BSS
  • Cyberplat
  • Ibank
  • SBER

Further analysis of this malware reveals that it modifies Java core files such as java.exe and javaw.exe for monitoring.


Minimum Scan Engine:


Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Scan your computer with your Trend Micro product and note files detected as BKDR_CARBERP.XF

Did this description help? Tell us how we did.