Carberp

Since late 2010, the Carberp trojan has been stealing user’s online payment transaction information, banking credentials, and other sensitive data. The most common infection method is through drive-by downloads or via email phishing campaigns. This trojan originally targeted Windows XP, Vista, and 7, but has recently expanded its reach to Windows 8 and 10. Carberp changes the victim’s system and browser settings, and connects remotely to a C2 server to download additional payloads. Carberp steals personal and financial information and generates additional profits for the attacker by promoting sponsored products, directing web traffic via browser hijacking, and tracking user’s online history. Carberp creates backdoors to allow additional malware to infiltrate an infected device. It can also disable antivirus software and block the application of new virus definitions in an attempt to evade detection. It is possible to remove the trojan manually or with a removal tool. Be aware of any unusual activity on devices, update operating systems and other software regularly, use safe browsing applications and extensions, install and update antivirus software, and avoid clicking on ads or pop-ups.

Reporting

  • February 2016: The criminal group, Carbanak, reportedly began using Carberp along with Anunak malware to infect and steal money from financial institutions. (Softpedia)
  • March 2016: Cybersecurity firm Symantec reported Carberp was found to be signed with two digital certificates, one with a SHA1 signature, and one with a SHA2 signature. The Carberp trojan is one of the first pieces of malware to use dual certificates to account for the switch from SHA1 to SHA2. Having the SHA2 certificate prevents the malware from triggering validation errors. (Symantec)

More Information

  • Symantec provides technical details on the Carberp trojan, available here.

One example of the Carberp trojan. Image Source: PC Techie