Connect with us

Hi, what are you looking for?



Source Code for Carberp Trojan for Sale in Cybercrime Underground

Researchers have found the source code for the Carberp Trojan on sale in underground forums.

A person using the name “madeinrm” announced that the Carberp source code was available for sale, Group-IB researchers told SecurityWeek.

Researchers have found the source code for the Carberp Trojan on sale in underground forums.

A person using the name “madeinrm” announced that the Carberp source code was available for sale, Group-IB researchers told SecurityWeek.

The archive allegedly includes the full source code of Carberp with comments, Web injects, all the modules used by Carberp, the source code of RDPxTerm and Gazavar (the worm module), the admin panel for the command-and-control server, the bootkit module, among others, Andrey Komarov, head of international projects of CERT-GIB at Group-IB, told SecurityWeek.

The bootkit is designed to significantly improve the infection rate and load a specifically compiled driver when the computer loads the operating system, according to the translated advertisement.

The price, at $5,000, is “democratic,” said Komarov.

The archive, which is about 5 GB in size, also has all available versions of the Carberp builder and two exploits (CVE-2012-1864 and CVE-2012-0217), Komarov said. CVE-2012-1864, patched by Microsoft in June 2012, is a an escalation of privileges vulnerability in how win32k.sys kernel-mode drivers in Microsoft Windows XP, Windows Server 2003, Vista, Windows Server 2008, and Windows 7 handle user-mode input. CVE-2012-0217 is a vulnerability in Xen 4.1.2 and earlier as used in various versions of Citrix XenServer, Oracle Solaris 11, illumos, Joyent SmartOS, FreeBSD, Microsoft Windows Server 2008, and Windows 7.

It’s not clear if the seller is the original developer, or someone who acquired the code and is trying to profit by distributing it further. The seller claimed to be working with “Batman,” the person who originally managed all the sales and technical support of Carberp, Komarov said. The seller also said all potential customers would need to be verified to ensure the source code doesn’t get distributed into the wrong hands, according to Komarov.

Advertisement. Scroll to continue reading.

Interestingly, Trusteer researchers came across what appears to be a different seller offering Carberp source code, but with a hefty $50,000 price tag. The seller, “=Sj=” said the code was being sold “in coordination with the Carberp author and that it will only be sold to a trustworthy member,” Trusteer’s Etay Maor wrote on the company blog.

This suggests that other people are attempting to sell the source code at a significantly lower price, Maor said, and the advertisement Group-IB found appears to confirm that is the case.

It’s possible that a “breach of contract by a Carberp seller caused a buyer to take revenge and sell the source code,” Maor said.

The advertisement found by Trusteer researchers included additional details about the components for sale, such as form grabbers for major browsers and Russian and Ukranian-language form grabbers to specifically target applications in those languages. FTP, email, and certificate grabbers were also listed, according to Trusteer.

It is generally rare to see source code for malware being sold, even on underground criminal forums. It was unusual when a version of Zeus appeared on the forums a few years ago, and the fact that Carberp is now being offered for sale is unexpected.

It’s very likely that once the code is sold, the new buyers would add on new features and distribute those variants to create newer versions of sophisticated malware. Citadel is an example of how the new buyers enhanced and sold new versions of the malware, noted Maor.

Carberp Source Code

Carberp can “easily be configured” to target a variety of businesses and to be used for reconnaissance and information theft, Maor said. Or it could be “an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups,” he said.

Earlier this year, Russian authorities claimed to have captured the mastermind behind the Carberp banking Trojan and other members of the criminal gang.

The cybercrime ring, led by a 28-year old Russian national, allegedly has been in operation since 2009 and has stolen approximately $250 million from Ukrainian and Russian banks, according to an April 2013 report from Kommersant Ukraine, a national publication.

In March 2012, authorities arrested and broke up a gang that used Carberp to steal $2 million from over 90 individual bank accounts. That cybercrime gang used the malware and was not responsible for developing the Trojan.

* 06/19 Updated with additional commentary from Group-IB

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...