Integrates SysInternals tool that crashes systems

Jan 15, 2015 13:06 GMT  ·  By

Users in Australia are the main target of cybercriminals wielding a new version of the Carberp malware, which is capable of infecting both 32-bit and 64-bit systems, security researchers found.

The freshly discovered strain is delivered through a malicious email campaign that was identified in mid-December 2014. Unsuspecting users are tricked into launching the malicious file via an email claiming to deliver information about a payment, such as an invoice included as an attachment.

Infections seen across the globe

After compromising the system, the malware connects to a command and control (C&C) server and uploads information about the machine, requesting additional components compatible with the computer’s architecture.

The version identified by Symantec has been distributed all over the world, but the most affected region seems to be Australia, where more than 50% of the total infections have been recorded.

Samples have also been detected in United States and Canada, South America (Argentina) Africa, as well as multiple countries in Europe and Asia.

Integrates tool for triggering system crashes

Security researchers at Symantec found some interesting aspects regarding the modules present in the new Carberp, which help the threat hide the infection and download encrypted plug-ins.

Roberto Sponchioni says that the piece of malware integrates a component that can inject malicious payloads into the memory of the system in order to hide the infection; it also features a downloader that fetches new payloads from the C&C server.

However, an additional component is perfectly legitimate and may serve to prevent researchers from analyzing the malware. For this, the authors included NotMyFault, a tool developed by Microsoft's SysInternals, designed to crash the system when troubleshooting.

Carberp infections were expected to re-appear

The purpose of the Trojan has not changed and it is still used for stealing sensitive information from the compromised machine, Sponchioni notes.

The researchers were able to download and take a look at a plug-in used to hook specific APIs so that it could extract usernames and passwords from various web browsers.

Carberp’s source code was leaked in 2013 and cyber-experts have rushed to analyze the malware, predicting that criminals would pick up the “asset” and apply modifications to improve its functionality.

Before the leak, Carberp was used to create botnets (networks of infected computers) and to steal about $250 / €214 million from banks all over the world.

Carberp infections (2 Images)

Infections recorded for the new Carberp
Email carrying new Carberp strain
Open gallery