Leaked Carbanak Source Code Reveals No New Exploits
FireEye’s analysis of the Carbanak source code that emerged on VirusTotal recently found no use of new exploits. Their review of the code also verified previous assumptions on the group behind a series of cyberattacks that used the malware.
Associated with the financially-motivated threat actor FIN7, Carbanak is a full-featured backdoor that has been used in numerous attacks to steal millions of dollars. Recently, FireEye found two RAR archives on VirusTotal containing the malware’s source code, as well as other tools.
Analysis of the code revealed new details on the malware, but also confirmed what previous investigations had already discovered, such as an anti-virus evasion mechanism, authorship artifacts, exploits, and network-based indicators.
FireEye’s security researchers discovered that the malware can detect anti-virus programs by process name hashes, and that it includes different evasion techniques depending on the security product discovered. Some of the targeted anti-virus products have been updated to mitigate the attack.
The source code also revealed some artifacts pointing to the individuals behind the malware, such as host paths, but FireEye’s security researchers say the details were too scarce to help them learn more on the authors.
The investigation also revealed that all of the exploits used by the backdoor are well-documented. The code also includes strings copied wholesale from Mimikatz, such as a module for dumping passwords and code to allow multiple remote desktop protocol connections.
The code analysis led the security researchers to the discovery of passwords used for RC2-encrypted communications and other purposes, as well as of an encrypted server certificate in a debug directory, protected with password “1”.
Multiple Network-Based Indicators (NBIs) were also found in the source code, showing significant overlap with previously documented CARBANAK backdoor activity and FIN7 operations.
“The previously documented NBIs, Windows API function resolution, backdoor command hash values, usage of Windows cabinet file APIs, and other artifacts associated with CARBANAK all match. Interestingly though, the project itself isn’t called CARBANAK or even Anunak as the information security community has come to call it based on the string artifacts found within the malware,” FireEye notes.
The leak also allowed the security researchers to verify whether previous deductions on the malware were correct, such as the fact that a build tool was used to configure various details, including command and control (C&C) addresses, encryption keys, and campaign codes.
The security researchers also wanted to validate the previous assumption that the malware operators might have had direct access to the source code or a close relation to the author, but could not find definite proof of that.
What the source code did reveal, however, was names of commands that were previously unidentified, along with commands absent from previously analyzed samples. One of the commands appears meant for debugging only and was commented out, so it never appeared in public reports.
“Having access to the source code and toolset for CARBANAK provided us with a unique opportunity to revisit our previous analysis. We were able to fill in some missing analysis and context, validate our deductions in some cases, and provide further evidence in other cases, strengthening our confidence in them but not completely proving them true,” the researchers say.
In the final blog detailing the code analysis, FireEye reveals that the backdoor can record videos of the victims’ desktops, thus providing attackers with a better understanding of the operational workflow of employees working at targeted banks.
The attackers used custom written video data file format and player. The video files have the extension .frm, while the video player searchers for all files with this extension that have begin and end timestamps that fall within a specific range.