Carberp: it’s not over yet

On 20 March, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp Trojan. This is very good news, but unfortunately does not mark the end of the Carberp story.

Evidently, those arrested were just one of the criminal gangs using the Trojan. At the same time, those who actually developed Carberp are still at large, openly selling the Trojan on cybercriminal forums.

Here is a recent offer for the ‘multifunctional bankbot’, which appeared on 21 March:

A post advertising the sale of Carberp

There are still numerous ‘affiliate programs’ involved in the distribution of Carberp, particularly “”.

We detected a new Carberp distribution incident on 21 March. Infection was initiated at, a website devoted to the MosWar online browser game.

The main page of

A page on the site includes a script which quietly redirects visitors to a web page in a third-level domain.

The script redirecting users from

The second-level domain belongs to Dyn – a company that offers free services for the creation of free *.dyndns.TLD third-level domains. Such services are popular among cybercriminals as they make it unnecessary to register new domains.

Screenshot of the website

A series of redirects to different DynDns domains ultimately leads to a script of the traffbiz affiliate program. Officially, the program acts as an intermediary between webmasters and traffic buyers, but according to our information, it is mostly used by cybercriminals to distribute malware.

Screenshot of the website

A script generates the hit counter image that is demonstrated to users. The script also includes two iframes which quietly redirect users to two links.

The hit counter code on

One of the links leads to Java (CVE-2011-3544) and PDF (CVE-2010-0188) exploits that download Trojan-Spy.Win32.Carberp.epm to the victim machine and launch it.

The Trojan attempts to connect to the command server by sending requests to three domains:


Curiously, according to whois data, these domains were registered on 20 March:

Curiously, according to whois data, these domains were registered on 20 March.

The command server to which Carberp connects is operational. It sends the command to the bot to download configuration files specifying which information the bot should steal and how. During the attack, Carberp intercepts the content of Citibank and Raiffeisen Bank webpages on the computer, as well as pages that use software created by BSS, a company which develops and deploys automated remote banking systems.

The second link leads to the infamous BlackHole Exploit Pack, which downloads and launches two malicious programs: a version of Carberp (Trojan-Spy.Win32.Carberp.epl) and a password-stealing Trojan (Trojan-PSW.Win32.Agent.acne).

Carberp also connects to a server located in Germany which has a different IP address. The domain name **** was registered on 21 March:

The command center is operational but is not sending any commands as yet. The Trojan receives a list of plugins from that server.

The second piece of malware installed by the BlackHole Exploit Pack is designed to steal sensitive user data, such as FTP passwords. In addition, the Trojan modifies the hosts file to redirect users from and sites to malicious servers.

In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the Trojan remain active. In other words, victory is a long way off.

Carberp: it’s not over yet

Your email address will not be published. Required fields are marked *



Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Andariel evolves to target South Korea with ransomware

In April 2021, we observed a suspicious Word document with a Korean file name and decoy. It revealed a novel infection scheme and an unfamiliar payload. After a deep analysis, we came to a conclusion: the Andariel group was behind these attacks.

Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

Subscribe to our weekly e-mails

The hottest research right in your inbox