Carberp Trojan Evolves and Advances

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:35:19


Whatever else is said about malware authors, it’s becoming clearer and clearer of late that they are learning from their mistakes and adapting to new defensive tactics at an increasingly rapid rate. The latest example of this is a recently discovered version of the Carberp malware, which now includes a new encryption scheme and improved administrative capabilities.

Carberp is a somewhat obscure piece of malware–at least relative to media darlings such as Zeus and Clampi. But the authors behind Carberp have been tweaking and refining the capabilities of the malware in recent months, and a new version of the Trojan has appeared that makes it more difficult for users to defend against it. The original version of Carberp was just a typical Trojan designed to steal users’ sensitive data, such as online banking credentials or usernames and passwords for other high-value sites. All of the traffic sent back to the command-and-control server was in the clear. Simple and straightforward.

Related Posts

Threatpost News Wrap, September 2, 2016

September 2, 2016 , 9:00 am

Insecure Redis Instances at Core of Attacks Against Linux Servers

September 1, 2016 , 1:08 pm

Fairware Attacks Targeting Linux Servers

August 31, 2016 , 10:21 am

But as the malware’s creators learned what worked and what didn’t, they adjusted their tactics, according to an analysis by researchers at Seculert. The next iteration of Carberp boasted a couple of plug-ins, one that removed anti-malware software and another that would attempt to kill other pieces of malware found on an infected PC.

But the really interesting adjustments appeared in the most recent version of Carberp, which Seculert’s researchers came upon in recent days. The newest release includes the ability to encrypt all of the traffic between infected machines and the C&C server.

“The interesting part is that the RC4 key is randomly generated and is
sent as part of the HTTP request. This is the first time we have
encountered such behavior. For example, other malware, such as ZeuS,
only use one RC4 key which is embedded within the malware itself,” the Seculert analysis says. “While the new version of Carberp sends information about the running
processes on the infected machine to the C&C server, as in previous
versions, it now also checks which AV software is installed on the

Carberp is mainly spreading in Russia right now, but many of the more successful banker Trojans and information-stealing pieces of malware targeted one specific country and then went on to spread in other countries over time. Don’t be surprised to see a similar evolution from Carberp.