After TorrentLocker, new Carberp banking malware takes stab at Australia

Carberp, a banking trojan that recently hit over 150,000 Australian PCs, is taking a second bite at Australia through spam email loaded with malware.

Following a recent rash of infections in Australia of malware that locks files until a payment is made, an older banking trojan that hails from Russia may be poised for an Australian comeback.

According to researchers at Symantec, the chief target of a new variant of Carberp are Australian PCs, with over half of infections across the globe located in Australia.

Dubbed “Carberp.C”, the malware steals banking credentials from infected PCs and is currently being spread via email that contains an attachment posing as an invoice in a .zip file. Needless to say, the .zip file actually contains malware. So, recipients still need to open the attachment to become infected as opposed to malware that infects a PC simply by visiting a booby-trapped website.

Designed for 32-bit and 64-bit machines, the malware casts a wide net, and has a number of tricks, employing a legitimate troubleshooting tool called "Sysinternals" that can trigger a Windows “blue screen of death”. This may falsely suggest a system error to the victim. The malware also has features to hide itself from antivirus detection and to download separate components.

While Carberp.C’s infection methods and features aren’t particularly novel, it is notable due its long and storied history, which includes an Australian chapter of some significance.

Carberp first made its mark in 2009 as malware that stole banking credentials almost exclusively in Russian-language nations. It caused enough trouble for Russia’s Federal Security Service (FSB) to arrest eight hackers in 2012 who’d used the malware to pilfer millions of dollars from bank accounts in the country.

Slovakian security firm ESET detailed Carberp’s place as one of a small group of elite banking trojans that dominated Russian cybercrime targeting online banking systems between 2009 and 2011. Back then, Australia was off Carberp’s map.

Initially reserved by a single operator, Carpberp transformed into a monthly-fee based service after its source code was leaked online in June 2013, leaving its wares open for anyone to apply to their own enterprise. Rental prices ranged from $2,000 a month for features to $10,000 for a fuller set.

Ahead of the source code leak, however, a major Carberp campaign targeted Australian banking customers using “web injects” within the victim's browser to spoof the websites of the Commonwealth Bank of Australia, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ, infecting as many as 150,000 Australian PCs between 2012 and 2013. The same malware was previously used against customers of Sberbank in Russia.

Banking trojans that quietly steal the keys to online bank accounts have taken a back seat to in-your-face crypto-ransomware, such as Cryptolocker, which operate more like a shakedown and test how much victims value their information and hardware.

As reported in December, researchers at ESET discovered that nearly 10,000 PCs in Australia had been infected by TorrentLocker malware, which demanded between $760 and $1520 in Bitcoin for the key to unlock their encrypted files. Australia was the second largest target in the world behind Turkey.

Despite the high number of TorrentLocker infections in Australia, ESET's researchers found that fewer than two percent had actually paid. The good news Australians so far in terms Carberp's return is that Symantec has detected fewer than 50 infections across the globe. Still, the high proportion of Australian infections may signal an emerging threat and a good reminder that it's a bad idea to open attachments from unfamiliar senders.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Read more: Security tools missing up to 100% of malware, eThreatz testing shows

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Read more: Extortionists becoming more helpful as new ransomware generation bows

Join CSO for the day@#csoperspectives and hear from @kimzetter @frankheidt

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags hackerscrypto-ransomwareRussia’s Federal Security Service (FSB)booby-trapped websitesCryptolockerrussiabanking malwareEnex TestLabCarberpESET'ssymantecSberbankAustraliaTorrentLockertrojanCSO Australiacybercrime

More about Bendigo BankCommonwealth BankCommonwealth Bank of AustraliaCSOEnex TestLabIT SecuritySymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place