# NotCarbanak Mystery - Source Code Leak

**malware-research.org/carbanak-source-code-leaked/**

GelosSnake July 11, 2018


-----

-----

11 Jul 2018
[I got a tip a very short time ago in our slack group about possible Carbanak source code](https://malware-research.org/slack)
leak.
A quick google search proven this is indeed a possibility.

hxxp://mal4all.com/showthread.php?tid=494&action=lastpost

[Here is the source code in a zip file.](https://s3-eu-west-1.amazonaws.com/malware-research.org/blogposts/carbanak_leak/carbanak_source_code_leak_maybe.zip)

Please make sure you use proper security steps such as sandbox and isolated environment.
The origin of this zip files is unknown and was not inspected for booby traps etc.

This file was uploaded for research and defense purpose only. If you plan to use this for
malicious reasons you suck.

Pass: f1Up$zD%QY*p5@!&

If you are creating any signatures such as Yara and Snort please share back with the
community.

Happy Researching

**My team at Minerva have organized the information into a single blog post:**

[Initial analysis and insights about the enhanced #Buhtrap source code](https://twitter.com/hashtag/Buhtrap?src=hash&ref_src=twsrc%5Etfw) [#leak (not](https://twitter.com/hashtag/leak?src=hash&ref_src=twsrc%5Etfw)
[#carbanak)](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw) [https://t.co/b4hCMmc5fp](https://t.co/b4hCMmc5fp)

[— Minerva Labs (@MinervaLabs) July 12, 2018](https://twitter.com/MinervaLabs/status/1017395965114896389?ref_src=twsrc%5Etfw)

**Some on-going updates posted during the initial investigation:**

I wouldn't put a solid carbanak tag on it just yet :) it sure has similarities...

[— Denis O'Brien (@Malwageddon) July 11, 2018](https://twitter.com/Malwageddon/status/1017084469541527552?ref_src=twsrc%5Etfw)

after deeper look into Ratopak we should say - it is not original Buhtrap but Pegasus.
Pegasus and Buhtrap have very similar TTP. So, Ratopak is the right shot here.

[— codelancer (@codelancer) July 11, 2018](https://twitter.com/codelancer/status/1017149837135970304?ref_src=twsrc%5Etfw)

[Comodo signed binaries from this #carbanak leak (CN="\"Allegro\" LLC", O="\"Allegro\"](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
LLC", STREET="Nagatinsky 2ND, 2,2", L=Moscow, ST=Moscow,
OID.2.5.4.17=115487, C=RU) leads to this attack on Russian
[banks:https://t.co/LTbCr8CVu6https://t.co/gmcw2xk76H](https://t.co/LTbCr8CVu6)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017093538276888576?ref_src=twsrc%5Etfw)


-----

At least some parts of the source code leak fit to Buhtrap/Ratopak
(f4ae5579930f20ccc41d1f8b1e417e87) code as described here:
[https://t.co/zkcv05OaEC](https://t.co/zkcv05OaEC) [#carbanak](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw) [#buhtrap](https://twitter.com/hashtag/buhtrap?src=hash&ref_src=twsrc%5Etfw) [#ratopak](https://twitter.com/hashtag/ratopak?src=hash&ref_src=twsrc%5Etfw) [pic.twitter.com/rqQrzIxFJF](https://t.co/rqQrzIxFJF)

[— Daniel Plohmann (@push_pnx) July 11, 2018](https://twitter.com/push_pnx/status/1017131953789849602?ref_src=twsrc%5Etfw)

[Ok just clarifying this is leak is not #Carbanak leak as the source zip states. Its leak](https://twitter.com/hashtag/Carbanak?src=hash&ref_src=twsrc%5Etfw)
from [#RatoPak group.](https://twitter.com/hashtag/RatoPak?src=hash&ref_src=twsrc%5Etfw)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017152905730842624?ref_src=twsrc%5Etfw)

Probably why this group was called Pegasus before the leak:
[pic.twitter.com/nySAMXek6o](https://t.co/nySAMXek6o)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017143352897232897?ref_src=twsrc%5Etfw)

[This potential #Carbanak code is very well documented. Example from the lateral](https://twitter.com/hashtag/Carbanak?src=hash&ref_src=twsrc%5Etfw)
movement section. [pic.twitter.com/DD8e5cFI5V](https://t.co/DD8e5cFI5V)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017058024601608192?ref_src=twsrc%5Etfw)

[Funny, comment: decryption of svchost will trigger @kaspersky KIS emulator.](https://twitter.com/kaspersky?ref_src=twsrc%5Etfw)
[pic.twitter.com/gQ5P4DtlSb](https://t.co/gQ5P4DtlSb)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017064125871087618?ref_src=twsrc%5Etfw)

[Interesting information related to banking fraud on the potential #carbanak leak.](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
[pic.twitter.com/kzZxi0hWzq](https://t.co/kzZxi0hWzq)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017068957210210305?ref_src=twsrc%5Etfw)

the [#carbanak leak seems to have full AD dump of several banks such as:](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
[Kazan-based Energobank pic.twitter.com/NpHKdGd35G](https://t.co/NpHKdGd35G)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017070458007621633?ref_src=twsrc%5Etfw)

Also the [#carbanak leak seems to have a step by step guide to use/hack swift.](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
[Can anyone experience with #swift confirm this?](https://twitter.com/hashtag/swift?src=hash&ref_src=twsrc%5Etfw) [pic.twitter.com/9N3zgJvNCM](https://t.co/9N3zgJvNCM)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017074293770014724?ref_src=twsrc%5Etfw)

And of course, Enums visible machines in current or any specified domain
[pic.twitter.com/KD0bFGCSD1](https://t.co/KD0bFGCSD1)

[— Bʀʏᴀɴ (@bry_campbell) July 11, 2018](https://twitter.com/bry_campbell/status/1017075967263723521?ref_src=twsrc%5Etfw)


-----

Somebody leaked the Carbanak source code last week

I've been talking with several security researchers who are currently trying to verify the
code's authenticity and they believe it to be the real thing, albeit they're not 100% sure
just yet [pic.twitter.com/8sAUHPEgnv](https://t.co/8sAUHPEgnv)

[— Catalin Cimpanu (@campuscodi) July 11, 2018](https://twitter.com/campuscodi/status/1017077782352973827?ref_src=twsrc%5Etfw)

[Here's a video of the arrest: https://t.co/vzKhroTYFt](https://t.co/vzKhroTYFt)

[— Catalin Cimpanu (@campuscodi) July 11, 2018](https://twitter.com/campuscodi/status/1017079441246351360?ref_src=twsrc%5Etfw)

[Are you wondering why the leaked #carbanak zip files are named after @groupib ?](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
[Well they are the firs to discover #carbanak which was named Anunak by them. Also](https://twitter.com/hashtag/carbanak?src=hash&ref_src=twsrc%5Etfw)
been actively working against the hacker group for many years.
[pic.twitter.com/UobwEj0SWK](https://t.co/UobwEj0SWK)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017080501125992448?ref_src=twsrc%5Etfw)

[Some of the leaked files are corresponding to banks hacked by #Corkow group. Really](https://twitter.com/hashtag/Corkow?src=hash&ref_src=twsrc%5Etfw)
interesting: [https://t.co/OHeGTg7f2E](https://t.co/OHeGTg7f2E)

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017114271908581383?ref_src=twsrc%5Etfw)

This [#RatoPak / (not)](https://twitter.com/hashtag/RatoPak?src=hash&ref_src=twsrc%5Etfw) [#Carbanak leak investigation and discussions really shows once](https://twitter.com/hashtag/Carbanak?src=hash&ref_src=twsrc%5Etfw)
again how difficult attribution can be and why security researchers should collaborate
as much as possible. Long night a head of us (:

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017159978082332672?ref_src=twsrc%5Etfw)

Nice admin panel you've got there :) its [#notcarbanak but](https://twitter.com/hashtag/notcarbanak?src=hash&ref_src=twsrc%5Etfw) [#ratopak according to](https://twitter.com/hashtag/ratopak?src=hash&ref_src=twsrc%5Etfw)
[@GelosSnake and](https://twitter.com/GelosSnake?ref_src=twsrc%5Etfw) [@codelancer](https://twitter.com/codelancer?ref_src=twsrc%5Etfw) [pic.twitter.com/yUjbygZ9Yf](https://t.co/yUjbygZ9Yf)

[— rik (@rikvduijn) July 11, 2018](https://twitter.com/rikvduijn/status/1017153511451176960?ref_src=twsrc%5Etfw)

[Confirmed Link: '#Pegasus' shares some code lib struct with #Buhtrap and appears to](https://twitter.com/hashtag/Pegasus?src=hash&ref_src=twsrc%5Etfw)
be an improved/altered version of the leaked Buhtrap main 'lib' (machineid, mem, etc.)
🤔 h/t [@push_pnx for lead](https://twitter.com/push_pnx?ref_src=twsrc%5Etfw)

Exact Code Overlap:

buhtrap/11. DLL Side-Loading+panel/.../libs/ -> pegasus/inc/
[pic.twitter.com/NlvcD7ecLO](https://t.co/NlvcD7ecLO)

[— Vitali Kremez (@VK_Intel) July 11, 2018](https://twitter.com/VK_Intel/status/1017179470409674752?ref_src=twsrc%5Etfw)


-----

List of bank possibly hacked and found in the leak:
AK BARS Bank
IBSP Bank
acropol
genbank
icbru
interprombank
metallinvestbank
minbank
nevskybank
nipbank

[— Omri Moyal (@GelosSnake) July 11, 2018](https://twitter.com/GelosSnake/status/1017180271815348225?ref_src=twsrc%5Etfw)


-----