Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Leaked Carbanak Source Code Reveals No New Exploits

FireEye’s analysis of the Carbanak source code that emerged on VirusTotal recently found no use of new exploits. Their review of the code also verified previous assumptions on the group behind a series of cyberattacks that used the malware. 

FireEye’s analysis of the Carbanak source code that emerged on VirusTotal recently found no use of new exploits. Their review of the code also verified previous assumptions on the group behind a series of cyberattacks that used the malware. 

Associated with the financially-motivated threat actor FIN7, Carbanak is a full-featured backdoor that has been used in numerous attacks to steal millions of dollars. Recently, FireEye found two RAR archives on VirusTotal containing the malware’s source code, as well as other tools. 

Analysis of the code revealed new details on the malware, but also confirmed what previous investigations had already discovered, such as an anti-virus evasion mechanism, authorship artifacts, exploits, and network-based indicators.

FireEye’s security researchers discovered that the malware can detect anti-virus programs by process name hashes, and that it includes different evasion techniques depending on the security product discovered. Some of the targeted anti-virus products have been updated to mitigate the attack. 

The source code also revealed some artifacts pointing to the individuals behind the malware, such as host paths, but FireEye’s security researchers say the details were too scarce to help them learn more on the authors. 

The investigation also revealed that all of the exploits used by the backdoor are well-documented. The code also includes strings copied wholesale from Mimikatz, such as a module for dumping passwords and code to allow multiple remote desktop protocol connections.

The code analysis led the security researchers to the discovery of passwords used for RC2-encrypted communications and other purposes, as well as of an encrypted server certificate in a debug directory, protected with password “1”. 

Multiple Network-Based Indicators (NBIs) were also found in the source code, showing significant overlap with previously documented CARBANAK backdoor activity and FIN7 operations. 

“The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware,” FireEye notes. 

The leak also allowed the security researchers to verify whether previous deductions on the malware were correct, such as the fact that a build tool was used to configure various details, including command and control (C&C) addresses, encryption keys, and campaign codes.

The security researchers also wanted to validate the previous assumption that the malware operators might have had direct access to the source code or a close relation to the author, but could not find definite proof of that. 

What the source code did reveal, however, was names of commands that were previously unidentified, along with commands absent from previously analyzed samples. One of the commands appears meant for debugging only and was commented out, so it never appeared in public reports. 

“Having access to the source code and toolset for CARBANAK provided us with a unique opportunity to revisit our previous analysis. We were able to fill in some missing analysis and context, validate our deductions in some cases, and provide further evidence in other cases, strengthening our confidence in them but not completely proving them true,” the researchers say. 

In the final blog detailing the code analysis, FireEye reveals that the backdoor can record videos of the victims’ desktops, thus providing attackers with a better understanding of the operational workflow of employees working at targeted banks. 

The attackers used custom written video data file format and player. The video files have the extension .frm, while the video player searchers for all files with this extension that have begin and end timestamps that fall within a specific range. 

Related: Carbanak Source Code Discovered on VirusTotal

Related: Source Code of Iran-Linked Hacking Tools Posted Online

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.