Carberp

Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Carberp's code, particularly its method of resolving API functions, has been adopted and adapted in numerous subsequent versions of the Trojan. The Sofacy group, also known as APT28, has been one of the most prominent users of Carberp-based malware. In 2013, the group expanded its arsenal to include more backdoors and tools, many of which incorporated elements from the Carberp source code. These tools included CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, and AZZY (also known as ADVSTORESHELL, NETUI, EVILTOSS). The group has launched spear-phishing attacks with Flash exploits leading to their Carberp-based JHUHUGIT downloaders and further stages of malware. In 2016, they deployed the Seduploader and Downdelph malware, both based on the Carberp Trojan. Another noteworthy trait of Carberp is its elegant application program interface (API) obfuscation, which has been borrowed by other malware developers. This obfuscation can be overcome using an Interactive Disassembler (IDA) Python script, given that the hashed values are available within Carberp’s leaked source code. For instance, TrickBot's obfuscation method bears significant resemblance to Carberp's API obfuscation, suggesting that it was likely borrowed from the Carberp Trojan. This widespread use and modification of Carberp's code underscore its significant impact on the landscape of cyber threats.