We have been tracking the Carberp cybercrime group’s activity for three years now. Tracking started in 2009 with the first samples of the Carberp malcious software seen in the wild. By the beginning of 2010 the second wave of Carberp activity had forced out other banking malware families (Win32/Spy.Shiz, Win32/Hodprot) in Russia. We summarized the first phase of our investigation in our presentation “Cybercrime in Russia: Trends and issues” at CARO in 2011. This year we summarized the results of our further investigations in the presentation “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” at CARO 2012.
Over the whole period three different cybercrime groups worked with Carberp. The first group started in 2009 and the organizer of this group had a direct relationship with Carberp’s main developer. This group first started using legitimate software for remote control so as to steal money manually when an infected machine is active (Sheldor-Shocked). In 2010 Carberp sources were sold to the organizer of the second group and they worked in parallel.
At the beginning of summer 2011 the biggest Carberp botnet of all time was started by the organizers of the Hodprot botnet (Hodprot: Hot to Bot). The end of October 2011 saw the first detections of a variant of the Carberp dropper with a bootkit on board (Evolution of Win32/Carberp: going deeper). This botnet has the codename “Origami” and its administration panel looks like this:
This group used targeted plugins for attacking major banking systems in Russia and performed experiments with phishing on popular social networks (Facebook Fakebook: New Trends in Carberp Activity). At the end of 2011 a campaign started with mass infection of legitimate sites with BlackHole redirections (Carberp + BlackHole = growing fraud incidents, Blackhole, CVE-2012-0507 and Carberp). In April 2012 BlackHole gave way to the latest version of Nuclear Pack using a smart redirection technique (Exploit Kit plays with smart redirection).
Over the whole period the first group used Win32/Sheldor for stealing money manually and in 2011 Sheldor has evolved to Win32/RDPdoor (based on the legitimate ThinSoft BeTwin software). The latest version of Win32/RDPdoor has smartcard detection functionality and for transparent remote exploitation of smartcards it can install FabulaTech USB for Remote Desktop (Smartcard vulnerabilities in modern banking malware). The administration panel for the latest version of Win32/RDPdoor looks like this:
Now the organizers of all three groups have been arrested in Russia. News of the first arrest was released in March 2012 (Members of the largest criminal group engaged in online banking fraud are detained). One of the organizers of the second group was arrested at the beginning of June 2012 (Group-IB aided Russian law enforcement agents in arresting yet another cybercriminal group). And at the end of June the organizer of the botnet “Origami/Hodprot” was arrested (One of the largest banking botnets has been disabled).
The statistics for Win32/RDPdoor detections look like this:
[Cloud data from Live Grid]
Statistics for Carberp detections look like this:
[Cloud data from Live Grid]
Carberp detection statistics by region:
[Cloud data from Live Grid]
All the Carberp botnet organizers have been arrested, but our statistics aren’t showing a big drop in detections. The Russian region leads as before for Carberp detections and after the arrests it showed a brief dip. On the timeline detections graph we can see the downturn in detections after every arrest, as with the June detection statistics. But at the end of June an organizer of the biggest Carberp botnet “Origami/Hodprot” (with millions of bots active at any one time) was arrested. It’s a unique case, with all the guys who organized really big botnets and made big profits (millions of US dollars) being arrested.
Special thanks to my colleagues from Group-IB, Dmitry Volkov and Ilya Sachkov, who undertook the largest part of the investigation into the Carberp case.
Aleksandr Matrosov, Security Intelligence Team Lead
Leave a reply
