Carberp Malware Source Code Sells For $50k On Dark Web

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Despite recent arrests, there’s plenty of activity around the nasty Carberp Trojan

One of the most well known banking Trojans, Carberp, has had its source code offered on underground forums for as much as $50,000, leading to concerns the malware will see a spike in activity.

When the Zeus malware code was released in 2011, variants proliferated and one of the most prevalent Trojans became even more troublesome.

Fotolia: VIRUS © queidea #13574802The same could certainly happen with Carberp, which does web injects on banking sites to trick users into handing over login information when they think they are legitimately entering their username and password.

Carberp car boot sale

On an underground Russian forum, security company Trusteer found a seller going by the name of “=Sj=”, who offered the code and use of the malware to a “trustworthy member”for $50,000.

The seller also claimed his Carberp came with Master Boot Record (MBR) rootkit functionality, meaning it could give cyber crooks low level access to victims’ operating systems and avoid anti-virus software. They also said it would work on all Windows operating systems.

“Members of different forums are apparently also attempting to sell the source code at a significantly lower price,” wrote Etay Maor, senior manager at Trusteer. “One assumption that has been made is that a breach of contract by a Carberp seller caused a buyer to take revenge and sell the source code.”

There has been turmoil in the Carberp community recently, as the leader of a Carberp gang was arrested in April, along with another 20 who were alleged to have created the malware. They followed the arrest of another crook accused of running a major Carberp operation last year.

“With the current feature set this malware offers, it can easily be configured to target a wide variety of businesses as well as be used for data theft and reconnaissance,” Maor added.

“It remains to be seen if we are witnessing an attempt to dilute this malware due to internal struggles within the Carberp or buyer groups.

“Another possibility is that the source code will be acquired and enhanced to create a new malware product that will then be sold to the underground fraud community.”

Are you a security expert? Try our quiz!