Security researchers from FireEye have uncovered the source code of the ‘Carbanak’ backdoor trojan that has been available on VirusTotal for almost two years.
The big picture
In April 2019, FireEye security researcher Nick Carr detected two RAR archives uploaded on the VirusTotal malware scanning portal that contained Carbanak's source code, builders, and other tools. Carbanak source code was 20MB consisting of 755 files, 39 binaries, and over100,000 lines of code.
“We found the full CARBANAK source code & previously unseen plugins. Our #FLARE team spent 500 hours analyzing the 100,000+ lines of code,” Carr tweeted.
FireEye research team have analyzed the source code and have published the first two parts of the 4-part blog series.
Contents of the first archive
In the first part, the researchers have discussed the translated graphical user interfaces of CARBANAK tools and anti-analysis tactics of the source code.
“CARBANAK’s executable code is filled with logic that pushes hexadecimal numbers to the same function, followed by an indirect call against the returned value,” researchers explained in the first part of their analysis.
Contents of the second archive
In the second part, researchers discussed Carbanak’s antivirus (AV) detection, AV evasion, authorship artifacts, exploits, secrets, and network-based indicators.
The exploits include PathRec (CVE-2013-3660), Sdrop (CVE-2013-3660), NDProxy (CVE-2013-5065), UACBypass, COM, BlackEnergy2, and (CVE-2014-4113).