Carbanak Backdoor’s Source Code Leaked: What This Means for Enterprises

The source code of the notorious Carbanak backdoor, which was linked to several high-profile data breaches, was found on the VirusTotal platform. Researchers at FireEye, who uncovered it two years ago on VirusTotal, have recently shared their analysis of the malware, noting its sophistication particularly in the way it hinders analysis through obfuscation.

Trend Micro proactively detects and blocks Carbanak as: Trojan.Win32.CARBANAK.A, Trojan.Win32.CARBANAK.B, Backdoor.Win32.CARBANAK.A, HackTool.Win32.CARBANAK.A, Trojan.Win64.CARBANAK.A, Backdoor.Win64.CARBANAK.A, HackTool.Win64.CARBANAK, and Backdoor.MSIL.CARBANAK.AA.

Here’s a rundown of what Carbanak is, and what the leaked source code could mean to users and enterprises:

[READ: Banks Under Attack: Tactics and Techniques Used to Target Financial Organizations]

What is Carbanak?

Carbanak was one the backdoors that cybercriminal syndicate FIN7 (aka JokerStash, Carbanak, and Anunak) used against their targets. The malware was involved in cyber heists on over 100 banks across 30 countries, and reportedly resulted in financial losses of up to US$1 billion. Carbanank was also linked to other campaigns that employed point-of-sale (PoS) malware. The backdoor was also used to target more than 100 U.S.-based businesses mainly in the hospitality, restaurant, and gaming industries.

[Trend Micro Research: Joke or Blunder: Carbanak C&C Leads to Russia Federal Security Service]

Who is FIN7, and where are they now?

FIN7, which primarily used the Carbanak malware, also engaged in the sale of stolen payment card information on the dark web. The group further honed Carbanak’s functionalities, and by 2016, it has developed a custom trojan Cobalt by abusing the legitimate penetration testing tool Cobalt Strike.

FIN7’s leader was arrested in March 2018, followed by the arrest of three more members linked to the cybercriminal group in August. Despite these arrests, FIN7 still soldiered on, mounting campaigns using the SQLRat and DNSBot malware.

[READ: Carbanank’s Ties to Other Campaigns Targeting Financial Organizations]

How does Carbanak infiltrate a network or system?

FIN7 typically employs spearphishing to gain a foothold into their target’s network. These spearphishing emails have attachments embedded with exploits for various vulnerabilities. When successfully exploited, a shellcode would execute Carbanak.

FIN7 also reportedly abused the dynamic data exchange (DDE) feature in Windows and legitimate cloud-based services to deliver Carbanak or as part of command-and-control (C&C) communication.

[READ: How a Point-of-Sale Malware Could Be Related to Carbanak]

What happens after Carbanak is executed?

Carbanak’s backdoor capabilities are carried out, some of which include: logging keystrokes; capturing screenshots of websites of interest; stealing and deleting cookies; and injecting malicious code to websites. It also monitors traffic (such as those from forms, Outlook, and PoS systems) traversing in and out of the infected system.

Carbanak also uses remote or system administration tools to further monitor the target or conduct lateral movement. Similar to targeted attacks, Carbanak is known to perform reconnaissance so that attackers can familiarize themselves with their target’s business processes. This information can then be used, for example, to tamper banking data or make illicit transactions.

[READ: Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks]

What does the leaked source code contain?

To fully understand Carbanak, which has 100,000 lines of code, the researchers used a script to translate comments and graphical user interfaces embedded in the malware, which were in Russian. Among the researchers’ findings: Carbanak’s unique approach for communicating with its C&C servers; how it evades detection; and the security flaws it exploits, among others.

Carbanak uses a Windows mechanism called pipes, enabling the malware to receive commands even without a network. This pipe architecture is also what made analysis difficult, as the intricate mechanisms in Carbanak’s source code obfuscated its many components.

[READ: Lurk: Retracing the Cybercriminal Group’s Five-Year Campaign]

What does the source code leak mean for users and enterprises?

The leaked source code helps in that it would provide the information security community with threat intelligence needed to understand how the threat works and how to defend against it.

On the other hand, opportunistic cybercriminals could recompile and rehash it for their own ends. This could result in different Carbanak iterations in the wild. For example, the infamous Mirai, whose source code was also leaked, spawned offshoots like the Satori, Miori, and Yowaibotnet malware, to name a few.

While Carbanak’s leaked source code could help the infosec community stay ahead of it, users and enterprises shouldn’t be complacent. With the multitude of threats that are out to steal financial information, it sometimes only takes a single, socially engineered phishing email or vulnerable application for attackers to pilfer millions.

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.

With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Updated as of April 29, 2019, 6:15PM PDT to update Trend Micro detections for Carbanak.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.