Members of the Carberp crime network have returned to the market, and are offering the banking malware at a steep price for serious suitors: $40,000 per trojan kit.
RSA researchers found that Carberp perpetrators began offering the trojan on Monday, returning after a nearly two-year hiatus.
The crime gang last sold Carberp in February 2011, and abruptly retreated underground about a month after selling the trojan for $10,000 in closed Russian online forums. In June, a central operator of the botnet, known by the online alias “Hermes,” was arrested by Russian authorities. Several other cyber gang members were also apprehended by police in 2011.
The botnet, among the world's largest banking networks detected at the time, was believed to have caused $4.5 million in loses, primarily impacting users in Russia. Carberp is delivered via Black Hole exploit kit campaigns, or drive-by downloads, according to RSA.
Limor Kessem, intelligence expert at RSA's FraudAction Research Lab, told SCMagazine.com on Friday that Carberp attackers have returned to take advantage of an opening in the marketplace left by the withdrawal of activity on the Citadel network.
On Tuesday, RSA announced that a key Citadel developer was banned from one of the largest online groups that sells the banking trojan, indicating that the group was steadily withdrawing from the commercial market to privatize their operations.
“We saw this happening about two weeks after what occurred with the Citadel [network]," Kessem said. “Carberp is a private gang, and they don't usually sell their trojan commercially. They usually do this to collect money for another campaign.”
The network will likely disappear again when it is satisfied with sales from its high-ticket, revamped trojan, she added.
Updates to the malware include bug fixes and a bootkit version, which commands the $40,000 price. The trojan is also being offered for monthly use fees in the $2,000 to $10,000 range.
This latest Carberp variant contains code from another trojan, Rovnix, an “advanced bootkit-type threat that infects the Volume Boot Record (VBR),” a Friday blog post from RSA said.
Additionally, on Friday, Denis Maslennikov, a researcher at Kaspersky, blogged that a mobile version of the Carberp trojan had been detected on Android phones in Russia.
“There is no secret that online banking is becoming more and more popular in Russia, and banks are very active in promoting online banking with various authorization methods,” Maslennikov wrote.
When users with Carberp-infected machines visit their banking sites, the trojan modifies the web page and invites users to download an application "allegedly necessary for logging into the system," the blog post said. The user is then directed to enter their phone number or scan a QR-code to receive a link to download the malicious app via SMS message.