By Limor S Kessem, Cybercrime and Online Fraud Communications Specialist, RSA
Not two weeks after Citadel’s vendor and spokesperson got banned from the largest Russian-speaking cybercrime community, members from the Carberp Trojan team have resurfaced, scurrying to capture some of the underground limelight.
In a surprising move that came about earlier this week, team Carberp decided to offer their Trojan to cybercriminals for monthly usage fees ranging from $2,000 to $10,000 per month depending on the number of modules and plugins desired. Those wishing to purchase the Trojan can opt to invest a whopping $40,000 for a full kit, including the malware’s builder and an improved bootkit version. At no point in cybercrime history has any developer asked such price for a banking Trojan.
The Carberp Trojan, also known as Syscron, is semi-private malware that has been sold in the underground for over two years. First detected in June 2010, Carberp is crimeware that infects a PC with the purpose of stealing credentials for bank account takeovers and fraudulent wire transfers.
Research conducted on Carberp showed it was likely developed by a group of four malware writers and intermittently vended online in the Russian-speaking crime underground by a fifth person going by the handle “Carberp”. After the arrest of some of its gang members in Russia earlier this year, it became clear that much like Zeus, SpyEye and Citadel’s developers, Carberp’s birth place is in Eastern Europe.
The Trojan began as private malware used by a cybercriminal gang which the .media dubbed the Carberp Gang.. In February 2011, the gang decided to sell the Trojan’s complete version for the first time (including the builder and a Virtual Network Computing (VNC) access module), asking $10,000 USD per kit. Compared to other popular Trojans including Zeus and SpyEye, it was one of the highest asking prices for banking Trojans on the market.. Within a mere month, the team felt it has ‘sold to enough new users’ and stopped selling the Trojan, only promising to continue support to existing buyers. However, that never happened and Carberp seemed to all but disappear.
New Carberp In Town
More than a year later, Carberp is suddenly back on the commercial crimeware scene. In a comeback sales advertisement, the team’s spokesperson said they decided to renew sales following a long break taken in order to develop the new version of the Trojan. He also apologized for ‘lost contact’ with existing customers. Clearly a marketing move, because the developers purposely stopped supporting users to focus on their own gang’s endeavors — not an uncommon event for malware development teams. We have seen the same happening with the owners of Zeus, Ice IX, SpyEye, and now with Citadel to some extent. Now with Carberp back on the market only time will tell how it will do, and for how long this time around.
Carberp is now being sold with two distinct options:
1.) Updates to the old version with the code’s newest modules and bug fixes.
2.) The new and improved (and very costly) bootkit version.
Security researchers studying Carberp have been able to prove that the so-called new bootkit version actually contains parts derived from the Rovnix Trojan, an advanced bootkit-type threat that infects the Volume Boot Record (VBR). Carberp also uses the VBR infection method; a less commonly used means to infect machines compared with the more usual rootkit-type malware. Additionally, Carberp has also been strongly linked with the Blackhole exploit kit which is sold in very similar FaaS-style monthly packages and is especially popular in the Russian-speaking deep web.
Whether Carberp developers have actually formed strategic partnerships with Rovnix or the developers of the Blackhole exploit kit is yet to be seen, but it is clear the Carberp team is attempting to take back the market and grow its earnings.
It seems like the cybercrime underground, which has recently lost some of the little access it had to the Citadel Trojan, can now turn to another developer offering crimeware, setup and support.
Compared to the truly commercial malware (Zeus, SpyEye, Citadel), Carberp is not as widely spread in the wild since it has been kept private most of its existence, but that’s changing. For now, Carberp is willing to sell to new and un-vouched for users – opening the door for brand new botmasters to launch Trojan attacks using Carberp.
Albeit available to all, the high price tag on Carberp’s more sophisticated features will likely prove to be too out of reach for common cybercriminals. Although Fraud-as-a-service is known to lower the barrier for entry and makes life easier for newbie fraudsters, this latest version of the Carberp Trojan may confirm that the highest levels of cybercrimeware are still reserved for the elite and privileged few; malware does not come with an installation wizard—yet.
The good news in knowing that Carberp usually comes through an exploit kit (drive-by downloads) is that it can actually help users defend themselves by being aware of the software that is being downloaded to their machines and avoid it by keeping a fully patched and updated environment at all times.
Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter.