Threat Management, Malware

Carberp source code for sale, extending availability of banking trojan

A black market seller is offering source code of the Carberp trojan for as little as $5,000, a price tag that may get a lot of takers.

Andrey Komarov, head of international projects for Russian security firm Group-IB, spotted the source code being advertised on a Russian underground forum.

According to the seller, using the handle “madeinrm,” a sale would grant the buyer access to Carberp's source code, along with web injections, the source code for a worm known as "Gazavat," two exploits for vulnerabilities in Windows, and additional malicious features, the advertisement said.

As recently as December, the criminal group behind Carberp, which is designed to steal personal information entered into online banking platforms, was hawking a similar package at a much steeper price: $40,000 per exploit kit.

But that's apparently changed. 

The Register broke the news on Tuesday that the trojan's source code was up for grabs with a lighter price tag – a move researchers haven't seen the likes of since crooks leaked the source code for banking trojan Zeus in May 2011.

Komarov told Wednesday in an email that the Carberp group's decision to drop the price came after an individual going by “Batman,” who managed Carberp's sales and technical support, sold the source code to more than one person against the group's wishes.

With the source code in more hands than the group had anticipated, they decided to further open up the sale of the trojan. 

Etay Maor, fraud prevention solutions manager at security firm Trusteer, told on Wednesday that selling the source code could also be a way for the Carberp outfit, which has been on the radar of Russian law enforcement in recent months, to move on to new ventures before they are caught.

As ownership of the trojan changes hands, it will undoubtedly become available to a larger pool of criminals.

“They are going to make good use of that investment,” Maor said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.