• FireEye researchers detected two RAR archives uploaded on the VirusTotal malware scanning portal that contained Carbanak’s source code, builders, and other tools.
• Carbanak source code was 20MB in size and consisted of 755 files, 39 binaries, and over 100,000 lines of code.

Security researchers from FireEye have uncovered the source code of the ‘Carbanak’ backdoor trojan that has been available on VirusTotal for almost two years.

Worth noting

• Carbanak is a backdoor trojan which is developed and used by the FIN7 threat group.
• Carbanak trojan has been used by the FIN7 gang between 2014 and 2016 to target over 100 banks across the world and steal over $1 billion funds.

The big picture

In April 2019, FireEye security researcher Nick Carr detected two RAR archives uploaded on the VirusTotal malware scanning portal that contained Carbanak’s source code, builders, and other tools. Carbanak source code was 20MB consisting of 755 files, 39 binaries, and over100,000 lines of code.

“We found the full CARBANAK source code & previously unseen plugins. Our #FLARE team spent 500 hours analyzing the 100,000+ lines of code,” Carr tweeted.

FireEye research team have analyzed the source code and have published the first two parts of the 4-part blog series.

Contents of the first archive

In the first part, the researchers have discussed the translated graphical user interfaces of CARBANAK tools and anti-analysis tactics of the source code.

• Carbanak leverages a Windows mechanism called named pipes for communicating across all the threads, processes, and plugins under the backdoor’s control.
• Carbanak allows a local client to dispatch commands to the malware without the use of a network.
• Carbanak’s source code has a utility that scans source code for invocations of the API macro to build a header file defining string hashes for all the Windows API function names encountered in the entire codebase
• The malware’s source code provides insight into how malware authors use the powerful C preprocessor along with custom code scanning and code generation tools to obfuscate.

“CARBANAK’s executable code is filled with logic that pushes hexadecimal numbers to the same function, followed by an indirect call against the returned value,” researchers explained in the first part of their analysis.

Contents of the second archive

In the second part, researchers discussed Carbanak’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators.

• Carbanak source code contained several exploits, previous C2 hosts, and passwords,
• The malware’s source code contained code copied from Mimikatz numerous Network-Based Indicators (NBIs)
• It also contained an encrypted server certificate, multiple private and public keys.

The exploits include PathRec (CVE-2013-3660), Sdrop (CVE-2013-3660), NDProxy (CVE-2013-5065), UACBypass, COM, BlackEnergy2, and (CVE-2014-4113).