Home » Cyber Security News » Source code of Carbanak backdoor trojan was available on VirusTotal for almost 2 years

Source code of Carbanak backdoor trojan was available on VirusTotal for almost 2 years

  • FireEye researchers detected two RAR archives uploaded on the VirusTotal malware scanning portal that contained Carbanak’s source code, builders, and other tools.
  • Carbanak source code was 20MB in size and consisted of 755 files, 39 binaries, and over 100,000 lines of code.

Security researchers from FireEye have uncovered the source code of the ‘Carbanak’ backdoor trojan that has been available on VirusTotal for almost two years.

Worth noting

  • Carbanak is a backdoor trojan which is developed and used by the FIN7 threat group.
  • Carbanak trojan has been used by the FIN7 gang between 2014 and 2016 to target over 100 banks across the world and steal over $1 billion funds.

The big picture

In April 2019, FireEye security researcher Nick Carr detected two RAR archives uploaded on the VirusTotal malware scanning portal that contained Carbanak’s source code, builders, and other tools. Carbanak source code was 20MB consisting of 755 files, 39 binaries, and over100,000 lines of code.

“We found the full CARBANAK source code & previously unseen plugins. Our #FLARE team spent 500 hours analyzing the 100,000+ lines of code,” Carr tweeted.

FireEye research team have analyzed the source code and have published the first two parts of the 4-part blog series.

Contents of the first archive

In the first part, the researchers have discussed the translated graphical user interfaces of CARBANAK tools and anti-analysis tactics of the source code.

  • Carbanak leverages a Windows mechanism called named pipes for communicating across all the threads, processes, and plugins under the backdoor’s control.
  • Carbanak allows a local client to dispatch commands to the malware without the use of a network.
  • Carbanak’s source code has a utility that scans source code for invocations of the API macro to build a header file defining string hashes for all the Windows API function names encountered in the entire codebase
  • The malware’s source code provides insight into how malware authors use the powerful C preprocessor along with custom code scanning and code generation tools to obfuscate.

“CARBANAK’s executable code is filled with logic that pushes hexadecimal numbers to the same function, followed by an indirect call against the returned value,” researchers explained in the first part of their analysis.

Contents of the second archive

In the second part, researchers discussed Carbanak’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators.

  • Carbanak source code contained several exploits, previous C2 hosts, and passwords,
  • The malware’s source code contained code copied from Mimikatz numerous Network-Based Indicators (NBIs)
  • It also contained an encrypted server certificate, multiple private and public keys.

The exploits include PathRec (CVE-2013-3660), Sdrop (CVE-2013-3660), NDProxy (CVE-2013-5065), UACBypass, COM, BlackEnergy2, and (CVE-2014-4113).

Buy Firewall, Buy Firewall Online, Buy Firewall Online India Buy Firewall, Buy Firewalls Online, Buy Firewall Online in India from IT Monteur's Firewall Firm, Buy Firewall Support, Buy Firewall License & License Renewals

What is Firewall? A Firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's previously established security policies. At its most basic, a firewall is essentially the barrier that sits between a private internal network and the public Internet.

 

Secure your network at the gateway against threats such as intrusions, Viruses, Spyware, Worms, Trojans, Adware, Keyloggers, Malicious Mobile Code (MMC), and other dangerous applications for total protection in a convenient, affordable subscription-based service. Modern threats like web-based malware attacks, targeted attacks, application-layer attacks, and more have had a significantly negative effect on the threat landscape. In fact, more than 80% of all new malware and intrusion attempts are exploiting weaknesses in applications, as opposed to weaknesses in networking components and services. Stateful firewalls with simple packet filtering capabilities were efficient blocking unwanted applications as most applications met the port-protocol expectations. Administrators could promptly prevent an unsafe application from being accessed by users by blocking the associated ports and protocols.

 

Firewall Firm is an IT Monteur Firewall Company provides Managed Firewall Support, Firewall providers , Firewall Security Service Provider, Network Security Services, Firewall Solutions India , New Delhi - India's capital territory , Mumbai - Bombay , Kolkata - Calcutta , Chennai - Madras , Bangaluru - Bangalore , Bhubaneswar, Ahmedabad, Hyderabad, Pune, Surat, Jaipur, Firewall Service Providers in India

Information Security - InfoSec - Cyber Security - Firewall Providers Company in India

Sales Number : +91 9582 90 7788 | Support Number : +91-9654016484
Sales Email : sales@itmonteur.net | Support Email : support@itmonteur.net

Register & Request Quote | Submit Support Ticket