Source code of Carbanak trojan found on VirusTotal

Carbanak source code has been available on VirusTotal for two years, and security firms didn't even notice.

Carbanak FIN7

The source code of one of the world's most dangerous malware strains has been uploaded and left available on VirusTotal for two years, and almost nobody has noticed.

It was discovered by security researchers from US cyber-security firm FireEye, analyzed for the past two years, and made public today, so other members of the cyber-security community can also benefit from the company's finding.

The malware that stole €1 billion

The source code is for the Carbanak malware, a backdoor trojan that is the work of the FIN7 gang, also known under the names of Carbanak, Anunak, or the Cobalt Group.

FIN7 is one of the world's most dangerous and prolific hacker groups known to date, being responsible for hacks and thefts from banks and financial institutions of more than €1 billion.

The Carbanak backdoor is the group's second-generation malware strain, which they developed and used as their primary tool to aid in intrusions on banks' networks.

  • 2013 - 2014 - developed and used Anunak malware and targeted mainly financial institutions and ATM networks.
  • 2014 - 2016 - developed and used Carbanak malware, a newer and more sophisticated version of Anunak.
  • 2016 - 2017 - developed custom malware using Cobalt Strike, a legitimate penetration testing framework.

FIN7 typically operated by infecting bank employees with the Carbanak malware, which they used as a pivot point inside compromised networks until the group gained access to sensitive systems that could be used to transfer money from a bank's accounts or orchestrate coordinated ATM cash-outs.

Carbanak source code is a big discovery

Across the years, the security researchers who were called in to investigate FIN7 attacks have usually got their hands on Carbanak malware, but only compiled version, which are hard to analyze and fully understand.

However, things changed in April 2019 when FireEye security researcher Nick Carr found two archives uploaded on the VirusTotal malware scanning portal that contained Carbanak's source code.

The two files, uploaded from a Russian IP address, turned out to be the real deal, and have helped FireEye better understand FIN7's malware, even if by that time, the group had switched to using Cobalt Strike-based tools.

According to Carr, the two archives contained the malware's full source code, along with previously unseen plugins, totaling over 100,000 lines of code.

"Having source code sounds like cheat-mode for malware analysis. Indeed, source code contains much information that is lost through the compilation and linking process," said FireEye security researchers Michael Bailey and James T. Bennett.

The company has published today a first blog post of a four-part series that will analyze the Carbanak source code in greater detail.

FIN7 gang arrests and current activity

The original FIN7 (Carbanak) group does not exist anymore. Europol tracked down and arrested the gang's leader in Spain, in March 2018, and Ukrainian police arrested three other suspects a few months later, in August 2018.

The arrests haven't deterred FIN7's other members, though. Multiple sources in the cyber-security industry have reported over the past year that the FIN7 group appears to have splintered into smaller gangs, which are still targeting the banking sector even today [1, 2, 3, 4].

In July 2018, there was a false alarm that the Carbanak code leaked on the now-defunct Mal3all hacking forum. After further analysis, it was revealed that the leaked source code was the RatoPak malware, which belonged to the Corkow group, a different cyber-crime gang that targets banks and operates on the same model set up by Carbanak way back in 2014.

Related malware and cybercrime coverage: