{
	"id": "0ae43850-2674-4630-9d50-5fbd2b483903",
	"created_at": "2026-04-06T00:12:45.547348Z",
	"updated_at": "2026-04-10T13:12:45.234488Z",
	"deleted_at": null,
	"sha1_hash": "715933a734e6a47bba81092bef41fb5d5493b07b",
	"title": "Latest TeslaCrypt Ransomware Borrows Code From Carberp Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 768014,
	"plain_text": "Latest TeslaCrypt Ransomware Borrows Code From Carberp\r\nTrojan\r\nBy Josh Grunzweig\r\nPublished: 2015-10-09 · Archived: 2026-04-05 13:30:24 UTC\r\nIn recent weeks, we have noticed changes in the TeslaCrypt ransomware malware family’s code base. OpenDNS\r\nrecently discussed some of these changes regarding the encryption techniques in this newest variant. While\r\nreverse engineering the underlying code of these samples we discovered that the author of of TeslaCrypt borrowed\r\ncode from the Carberp malware family in order to obfuscate strings and dynamically load libraries/functions.\r\nTeslaCrypt was discovered in February 2015, and has been actively developed since its initial release. The\r\nTeslaCrypt family is known as ransomware—a type of malware that encrypts a victim’s files then demands a form\r\nof payment in exchange for the decryption key. Ransomware has been very lucrative for attackers, and an ongoing\r\nchallenge for consumers and businesses alike. Malware like TeslaCrypt is often delivered via spam emails or\r\nexploit kits. A recent takedown of multiple domains used by the popular Angler exploit kit estimated that as much\r\nas $60 million in revenue was generated annually by ransomware alone.\r\nTeslaCrypt has historically been known to borrow code or other features from various ransomware families. Older\r\nvariants used a notification screen that looked nearly identical to the one used by the CryptoLocker malware\r\nfamily.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 1 of 6\n\nFigure 1. Locker notification for old variants of TeslaCrypt\r\nThe latest versions of TeslaCrypt attempt to mimic the popular CryptoWall malware family.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 2 of 6\n\nFigure 2. Locker notification for new variants of TeslaCrypt\r\nAs we can see from the figures, the author of TeslaCrypt has no reservations about re-using code where possible.\r\nStarting in late September, the newest version of TeslaCrypt was introduced and it included multiple updates. One\r\nof these updates involved modifications to how the victims’ files were encrypted, which was discussed by\r\nOpenDNS in their blog post.\r\nHowever, when looking at the underlying code, a number of other changes caught our eye, including string\r\nobfuscation previously unseen in TelsaCrypt.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 3 of 6\n\nFigure 3. TeslaCrypt string obfuscation\r\nUpon further review, we discovered that these strings are encrypted using the RC2 cryptographic algorithm, using\r\na static key of ‘sdflk35jghs’. The initialization vector is generated by removing the first and last 4 characters, not\r\ncounting the base64 padding characters. This process is shown below.\r\nFigure 4. TeslaCrypt IV and data parsing\r\nWhile examining the Carberp source code, we discovered this exact code. Carberp was a popular banking Trojan\r\ndiscovered in late 2011. Its main functionality included stealing online banking credentials, keystroke logging, and\r\ncapturing data from various applications.\r\nIn mid-2013, the source code to Carberp was posted for sale on an underground Russian forum.  A number of\r\nweeks following this posting, the source code was leaked to the general public. This allowed any individual to\r\nmodify or copy the source code to this banking Trojan, which the author of TeslaCrypt appears to have done.\r\nFigure 5. Carberp string parsing prior to decryption\r\nLooking further into the underlying code of TeslaCrypt, we found that the author has also implemented dynamic\r\nlibrary and function loading.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 4 of 6\n\nFigure 6. Dynamic function loading in TeslaCrypt\r\nSure enough, this code was also copied from Carberp’s source code. Hashes used to identify function are\r\ngenerated via the following algorithm:\r\nFigure 7. Hashing algorithm\r\nIn order to assist analysts and reverse-engineers working on the latest version of TeslaCrypt, please refer to the\r\nscript shown in Figure 8 that will attempt to automatically convert API hashes to their actual function names.\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 5 of 6\n\nFigure 8. Results of running IDAPython script\r\nOverall, it appears that the author of TeslaCrypt has continued their history of re-using code and functionality\r\nfrom other malware families. By using the string obfuscation and dynamic API loading functionality from\r\nCarberp, it makes reverse-engineering and simple static analysis slightly more difficult. However, as the Carberp\r\nsource code is so widely known by the security community, the author may have inadvertently made detection of\r\nthese samples easier. This is the tradeoff of re-using code from other malware families. It’s certainly quicker and\r\neasier to do, but may result in easier detection by security software.\r\nAll new variants of the TeslaCrypt malware family samples are properly classified as malicious by Palo Alto\r\nNetworks WildFire. AutoFocus users can find more information on samples and indicators related to this attack by\r\nviewing the TeslaCrypt tag.\r\nSource: https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nhttps://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/"
	],
	"report_names": [
		"latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan"
	],
	"threat_actors": [],
	"ts_created_at": 1775434365,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/715933a734e6a47bba81092bef41fb5d5493b07b.pdf",
		"text": "https://archive.orkl.eu/715933a734e6a47bba81092bef41fb5d5493b07b.txt",
		"img": "https://archive.orkl.eu/715933a734e6a47bba81092bef41fb5d5493b07b.jpg"
	}
}