G’Day, Carberp! A variant of the botnet creation kit and information-stealing trojan Carberp has headed down under, where it’s being spread through a spam campaign and wreaking havoc across Australia.
Dubbed Trojan.Carberp.C, this is the third iteration of the kit since the source code for the original version was leaked in June 2013.
Security experts have predicted it would only be a matter of time before the stealer malware code would be modified and reused. Trojan.Carberp.B was uncovered in late 2014, proving them right; and now there’s another one.
“The Carberp malware likes to travel, it would seem,” said Symantec researchers, in an analysis of the fresh bug. “In its early days, Carberp was exclusively used to swipe online banking credentials and other valuable information in Russian-speaking countries, but was later modified to allow the malware to target US banks. Just like any successful business, expansion is the key, and now Carberp is exploring yet another continent.”
Spam mails claiming to be a payment reminder with an attachment that poses as an invoice is the vector in this case; when opened, it executes the Trojan, which injects code into a Windows process and decrypts and decompresses embedded 32-bit or 64-bit modules (depending on the operating system).
This latest version of the malware is still focused on stealing information, and now has the ability to download additional plug-ins that add to its functionality. One of those is used to hook specific APIs in order to steal confidential information such as user names and passwords from different internet browsers.
A main upgrade in the “C” version is also the amount of coding that has been spent on stealth.
“What's interesting about this Carberp variant is the number of components involved in the attack, which are used to hide the infection and to silently download additional encrypted payloads that are then injected stealthily into processes,” Symantec said. “Additional components are embedded in the dropper and compressed.”
As always users should be cautious when dealing with suspicious emails and to avoid clicking on suspicious links or opening attachments in unsolicited email.
The researchers said that Carberp’s expansion may point to Oz being a newly popular frontier for criminals.
“The fact that the new variant is mainly targeting Australia may also point to a wider trend in malware authors venturing into the land down under, as recently highlighted by a significant increase in crypto-malware hitting Australian computers,” Symantec said.