After TorrentLocker, new Carberp banking malware takes stab at Australia

Carberp, a banking trojan that recently hit over 150,000 Australian PCs, is taking a second bite at Australia through spam email loaded with malware.

Following a recent rash of infections in Australia of malware that locks files until a payment is made, an older banking trojan that hails from Russia may be poised for an Australian comeback.

According to researchers at Symantec, the chief target of a new variant of Carberp are Australian PCs, with over half of infections across the globe located in Australia.

Dubbed “Carberp.C”, the malware steals banking credentials from infected PCs and is currently being spread via email that contains an attachment posing as an invoice in a .zip file. Needless to say, the .zip file actually contains malware. So, recipients still need to open the attachment to become infected as opposed to malware that infects a PC simply by visiting a booby-trapped website.

Designed for 32-bit and 64-bit machines, the malware casts a wide net, and has a number of tricks, employing a legitimate troubleshooting tool called "Sysinternals" that can trigger a Windows “blue screen of death”. This may falsely suggest a system error to the victim. The malware also has features to hide itself from antivirus detection and to download separate components.

While Carberp.C’s infection methods and features aren’t particularly novel, it is notable due its long and storied history, which includes an Australian chapter of some significance.

Carberp first made its mark in 2009 as malware that stole banking credentials almost exclusively in Russian-language nations. It caused enough trouble for Russia’s Federal Security Service (FSB) to arrest eight hackers in 2012 who’d used the malware to pilfer millions of dollars from bank accounts in the country.

Slovakian security firm ESET detailed Carberp’s place as one of a small group of elite banking trojans that dominated Russian cybercrime targeting online banking systems between 2009 and 2011. Back then, Australia was off Carberp’s map.

Initially reserved by a single operator, Carpberp transformed into a monthly-fee based service after its source code was leaked online in June 2013, leaving its wares open for anyone to apply to their own enterprise. Rental prices ranged from $2,000 a month for features to $10,000 for a fuller set.

Ahead of the source code leak, however, a major Carberp campaign targeted Australian banking customers using “web injects” within the victim's browser to spoof the websites of the Commonwealth Bank of Australia, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ, infecting as many as 150,000 Australian PCs between 2012 and 2013. The same malware was previously used against customers of Sberbank in Russia.

Banking trojans that quietly steal the keys to online bank accounts have taken a back seat to in-your-face crypto-ransomware, such as Cryptolocker, which operate more like a shakedown and test how much victims value their information and hardware.

As reported in December, researchers at ESET discovered that nearly 10,000 PCs in Australia had been infected by TorrentLocker malware, which demanded between $760 and $1520 in Bitcoin for the key to unlock their encrypted files. Australia was the second largest target in the world behind Turkey.

Despite the high number of TorrentLocker infections in Australia, ESET's researchers found that fewer than two percent had actually paid. The good news Australians so far in terms Carberp's return is that Symantec has detected fewer than 50 infections across the globe. Still, the high proportion of Australian infections may signal an emerging threat and a good reminder that it's a bad idea to open attachments from unfamiliar senders.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd,Feb 4th,Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland)on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective.

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more..Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful cybersecurity companies