skip to Main Content

Carbanak malware source code exposed for the first time

FireEye discovers the Carbanak malware source code, builders, and some previously unseen plugins in two RAR archives on VirusTotal

The Carbanak malware has been exposed. FireEye cyber security experts revealed that they found it’s source code, builders, and some previously unseen plugins in two RAR archives, that were uploaded on the VirusTotal malware scanning engine two years ago from a Russian IP address. According to the company’s blog, Carbanak source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code. The malicious code (aka FIN7, Anunak or Cobalt) is one of the most full-featured and dangerous trojan that belongs to an APT-style cybercrime group involved in several attacks against banks, financial institutions, hospitals, and restaurants. First uncovered in 2014 by Kaspersky Lab, Carbanak is one of the most successful malware attacks in the world launched by a highly organized group that continually evolved its tactics, while avoiding detection by potential targets and the authorities. 

The cybercrime group behind the trojan stole over a billion euros from more than 100 banks across the globe

The cybercrime group behind the malware started its activities almost six years ago by launching a series of malware attacks using Anunak and Carbanak to compromise banks and ATM networks worldwide, stealing over a billion euros from more than 100 banks across the globe. To compromise banks, the threat actor sent malicious spear-phishing emails to hundreds of employees at different banks, which infected computers with the trojan, allowing attackers to transfer money from affected banks to fake accounts or ATMs monitored by them. According to the European authorities, the criminal group later developed a sophisticated heist-ready banking trojan called Cobalt, based on the Cobalt-Strike penetration testing software, which was in use until 2016. The group was first exposed in 2015 as financially-motivated cybercriminals, and three ukrainian suspects—Dmytro Fedorov, Fedir Hladyr and Andrii Kopakov — were arrested last year in Europe between January and June.

The cyber security experts, thanks to the Carbanak source code, plan to release a 4-part series of articles detailing the malware features and analysis, based upon its source code and reverse engineering

Now FireEye cyber security researchers, thanks to the discovery, plan to release a 4-part series of articles detailing CARBANAK features and analysis, based upon its source code and reverse engineering. The objective of the analysis is to discover threat intelligence gaps and better protect their customers. In the first issue, they discuss Russian language concerns, translated graphical user interfaces of malware tools, and anti-analysis tactics as seen from a source code perspective. They also explain an interesting twist where analyzing the source code surprisingly proved to be just as difficult as analyzing the binary, if not more.

Photo Credits: FireEye

Back To Top