The distribution scheme is standard. Victims are redirected from legitimate but compromised sites to a Blackhole site, where the exploit kit looks for a vulnerability in the victim’s browser. If it finds one, it infects the victim with Carberp.
What’s new from ESET is a current campaign directed at Russian banks and company finance managers:
- detection of the Carberp family tripled in November alone
- a current campaign is specifically targeting legitimate sites popular with “people managing finances in companies”
- there has been a huge increase in the exploitation of Java vulnerabilities – Java is now responsible for more exploit detections than the PDF and SWF formats
- the malware includes a sophisticated anti-malware evasion technique, being repacked after a defined number of detections
“Carberp,” explains Trusteer’s CTO Amit Klein, “is state of the art Man-in-the-Browser malware, which is capable of stealing user credentials (form grabbing) and modifying page contents (HTML injection), thereby fully controlling the user's browser. Carberp targets Internet Explorer and Firefox, and malware instances have been found to attack financial institutions around the world, specifically in USA, UK, the Netherlands, Germany, Italy, Denmark, Israel and Russia, as well as non-financial sites. Once Carberp's file is installed, it hides itself in the operating system to make detection more difficult.”
ESET senior research fellow David Harley, one of the authors of this research, commented, “While the world’s attention is focused on the glamorous cyberwarfare and cyberspook stories, it’s sometimes salutary to remember that more mundane criminality hasn’t stopped being highly active and highly profitable, and continuing to evolve technically, not least in Eastern Europe. As a latter-day Willie Sutton (a prolific and almost legendary US bank robber) might say, ‘Why target remote banking systems? That might not always be where the money is nowadays, but most of what money there is still goes through there sooner or later.’ He might wonder, though, continued Harley, “whether the Malware as a Service supply chain isn’t making more money, more consistently than the run-of-the-mill robbers. In any case, it’s past time to wake up and smell the Java...”
ESET also notes that the majority of the Blackhole exploits used to infect victims are not new. Defense against Carberp is thus threefold: make sure your anti-virus is completely up-to-date; use one of the security products specifically designed to protect browsers; and make sure that all of your software is fully patched.