CARBERP Banking Malware Makes a Comeback
In 2010, we noted CARBERP’s noteworthy features, including its capability to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. In 2012, however, a positive turn of events occurred as 8 individuals involved with CARBERP operations were arrested by Russia’s Ministry of Internal Affairs. This arrest should have put the final nail into CARBERP’s coffin.
But just recently, CARBERP is making news again, with an improved (and costly) versions and mobile app variants available in the wild.
Though we are still proactively searching for possible variants of these new CARBERP versions, we encountered a variant containing certain modifications. Detected as BKDR_CARBERP.MEO, this malware downloads new plugins to complement its information stealing routines, including vnc.plug and vncdll.plug that help a possible attacker to remotely access an infected system and Ifobs.plug used in monitoring Internet banking.
This backdoor also connects to certain control-and-command (C&C) servers to get commands from a possible remote user. Like other CARBERP variants, it targets Russian banks.
In an attempt to take advantage of the growing number of mobile device users, mobile versions of CARBERP were also found on certain app providers. These apps (detected as ANDROIDOS_CITMO.A) check for specific SMS messages like authentication codes sent by banks and forward this to a remote server.
For 2013, our Chief Technology Officer Raimund Genes predicted that cybercriminals will be focused on refining existing tools for attacks instead of creating new variants. CARBERP is proof that the bad guys are pursuing this route. Thus, we can expect more tried-and-tested threats like CARBERP to surface this year, though with fine-tuned features compared to its predecessors.
Trend Micro Smart Protection Network™ protects users from this threat by detecting CARBERP variants if found in a system. It also blocks related sites where BKDR_CARBERP.MEO connects to. Mobile users need not worry as Trend Micro Mobile Security Personal Edition protects users’ mobile devices from this threat.
For better protection, users must be extra careful with their behavior online, which includes refraining from visiting unknown or unverified sites. Likewise, they should regularly apply important security updates provided by software vendors.