Carberp

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information, disrupt operations, or even hold data hostage for ransom. Carberp's code, particularly its method of resolving API functions, has been adopted and adapted in numerous subsequent versions of the Trojan. The Sofacy group, also known as APT28, has been one of the most prominent users of Carberp-based malware. In 2013, the group expanded its arsenal to include more backdoors and tools, many of which incorporated elements from the Carberp source code. These tools included CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, and AZZY (also known as ADVSTORESHELL, NETUI, EVILTOSS). The group has launched spear-phishing attacks with Flash exploits leading to their Carberp-based JHUHUGIT downloaders and further stages of malware. In 2016, they deployed the Seduploader and Downdelph malware, both based on the Carberp Trojan. Another noteworthy trait of Carberp is its elegant application program interface (API) obfuscation, which has been borrowed by other malware developers. This obfuscation can be overcome using an Interactive Disassembler (IDA) Python script, given that the hashed values are available within Carberp’s leaked source code. For instance, TrickBot's obfuscation method bears significant resemblance to Carberp's API obfuscation, suggesting that it was likely borrowed from the Carberp Trojan. This widespread use and modification of Carberp's code underscore its significant impact on the landscape of cyber threats.
What's your take? (Question 1 of 0)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Carberp Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Sofacy’s ‘Komplex’ OS X Trojan
MITRE
a year ago
Tricks of the Trade: A Deeper Look Into TrickBot's Machinations
MITRE
a year ago
Trickbot Adds Credential-Grabbing Capabilities
MITRE
a year ago
CARBERP - Threat Encyclopedia
MITRE
a year ago
Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks | WeLiveSecurity
MITRE
a year ago
Sofacy Attacks Multiple Government Entities
MITRE
a year ago
The Great Bank Robbery: the Carbanak APT
CERT Polska
a year ago
Newest addition to a happy family: KBOT
MITRE
a year ago
A Slice of 2017 Sofacy Activity
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset
MITRE
a year ago
IRON TWILIGHT Supports Active Measures
MITRE
a year ago
XAgentOSX: Sofacy’s XAgent macOS Tool
MITRE
a year ago
PowerLoader Injection – Something truly amazing – MalwareTech