On March 20, Russian authorities revealed the fact that a cybercriminal group that relied on the infamous Carberp Trojan to commit bank fraud was terminated after its members were arrested. However, security experts warn that the takedown of a single group does not represent the end of Carberp.
Kaspersky experts discovered that one day after the announcement was made, a Carberp multifunctional bankbot was put up for sale by the malware’s developers on an underground forum.
It turns out that one of the affiliate programs most involved in the distribution of the Trojan is traffbiz.ru. This website is advertised as being an intermediary between webmasters and traffic buyers, but according to specialists from the security firm, its services are mainly used by cybercrooks who want to distribute malware.
Furthermore, a new Carberp distribution was spotted infecting radio-moswar.ru, a site dedicated to the online MosWar game.
Researchers determined that one of the website’s pages was altered to host a malicious script which, after multiple redirects to free domains, lands the victim on the traffbiz site. Here, another script triggers two other redirects.
One of the links points to a Java and PDF exploit that downloads Trojan-Spy.Win32.Carberp.epm. Once it infects a computer, the Trojan connects to an operational command and control server from which it receives configuration files that tell it what to steal.
“During the attack, Carberp intercepts the content of Citibank and Raiffeisen Bank webpages on the computer, as well as pages that use software created by BSS, a company which develops and deploys automated remote banking systems,” Vyacheslav Zakorzhevsky, Kaspersky Lab Expert, wrote.
The other link points to the BlackHole Exploit Kit which downloads not only Carberp, but also another information-stealing Trojan that targets FTP passwords and other sensitive data.
“In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the Trojan remain active. In other words, victory is a long way off,” Zakorzhevsky concluded.
Note. My Twitter account has been erroneously suspended. While this is sorted out, you can contact me via my author profile.