In 2010, we noted CARBERP’s noteworthy features, including its capability to install itself without Administrator Privileges, effectively defeating Windows 7 and Vista’s User Account Control (UAC) feature. In 2012, however, a positive turn of events occurred as 8 individuals involved with CARBERP operations were arrested by Russia’s Ministry of Internal Affairs. This arrest should have put the final nail into CARBERP’s coffin.
But just recently, CARBERP is making news again, with an improved (and costly) versions and mobile app variants available in the wild.
Detected as BKDR_CARBERP.MEO, this malware downloads new plugins to complement its information stealing routines, including vnc.plug and vncdll.plug that help a possible attacker to remotely access an infected system and Ifobs.plug used in monitoring Internet banking.
This backdoor also connects to certain control-and-command (C&C) servers to get commands from a possible remote user. Like other CARBERP variants, it targets Russian banks.
In an attempt to take advantage of the growing number of mobile device users, mobile versions of CARBERP were also found on certain app providers including Google Play (first seen around December last year). These apps (detected as ANDROIDOS_CITMO.A) check for specific SMS messages like authentication codes sent by banks and forward this to a remote server.