3 min read

Meet Carberp, the Bank Service Hitman

Loredana BOTEZATU

October 15, 2010

Meet Carberp, the Bank Service Hitman

Long gone are the times when the few existing malicious applications were designed in order for their creators to play pranks on their colleagues. The rapidly evolving malicious landscape has replaced them with state-of-the-art money makers such as the snitch we’ll be discussing about below.

Make no mistake about it; the 72 KB downloader called Trojan.Downloader.Carberp.A packs quite a punch. It is meant to intercept, manipulate and steal the confidential information a computer user might send or receive over the Internet; and what is particularly disturbing about it is the fact that it snatches login credentials from sites that require log-in sessions over an SSL connection, be they online banking services, e-mail providers or any other online services subject to authentication. Initially designed to protect the user from prying eyes, the SSL and HTTPS technologies actually mark the respective users as targets. Apart from keeping an eye on every service that is important enough to force SSL authentication, Trojan.Downloader.Carberp.A is also instructed to monitor a list of websites containing quite a few e-banking portals.

How can you get infected?

Once it gets executed on the computer, Trojan.Downloader.Carberp.A creates a couple of temporary files in the %temp% folder, then copies itself in the Windows Startup folder in order to execute itself after every boot or restart. The approach may seem rudimentary as compared to the one used by other families of malware that add startup entries to the Registry. However, it’s this very depreciation that allows Trojan.Downloader.Carberp.A to execute itself on newer operating systems, or under users without administrative privileges. Right after the infection, the downloader connects to a C&C server, from which it will download an encrypted configuration file, along with additional fire-power such as plug-ins allowing it to intercept Internet traffic and to kill whatever antivirus it may find on the recently infected computer. In return, Trojan.Downloader.Carberp.A sends the C&C server a unique ID and it uploads a list of currently running processes via a GET request.  

After it has successfully copied itself in the startup folder as either syscron.exe or chkntfs.exe, it hides its presence by using function hooks in ntdll.dll in order to intercept any calls to NtQueryDirectoryFile and ZwQueryDirectoryFile, which results in the user’s inability of seeing its files when using Windows® Explorer® or the command-line dir query.

Making use of certain hooks in the local internet browser, this malicious downloader intercepts the victim’s credentials and sends them to a C&C server the moment the computer user logs in through an SSL session.

The aim of this Trojan is twofold:

  • on the one hand any SSL-based authentication session allowing access to online banking, e-mail and social network accounts may get intercepted and the confidential data stolen, since every time a person logs in, Trojan.Downloader.Carberp.A steals the credentials (even before they get to be encrypted) and sends them to its C&C server over HTTP. By the time the log in request reaches the bank the credentials, will, unfortunately, have already fallen in the hands of the attackers.
  • on the other hand, Trojan.Downloader.Carberp.A also targets certain banks (in Germany, Denmark, the Netherlands, US and Israel) following precise instructions which it receives from the C&C server along with the configuration instructions.

This sophisticated approach to the by now classic man-in-the-browser attacks provides a lucrative financial tool designed to steal money especially from online service customers and SMBs. It is worth mentioning Trojan.Downloader.Carberp.A’s ability to install without administrator privileges, its ability to attack systems that run the latest versions of OSs and the fact that it doesn’t make any changes in the Registry.

BitDefender® customers have been protected since day zero via generic packer routines included already in the signature database. If you are not protected by a BitDefender product, you may download the free removal tool from the Downloads section and check out whether you are infected or not. Alternatively, you may also run a 60-second QuickScan to see if your system doesn’t hide other badware you may not be aware of.

 

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read