lolloj - Fotolia
FireEye security researchers discovered the source code for the infamous Carbanak backdoor malware two years ago and are now sharing analysis of the code.
Nick Carr, senior manager of the advanced practices team at FireEye, based in Milpitas, Calif., found the Carbanak source code in two RAR archives on VirusTotal in August 2017, approximately four months after the code was uploaded. FireEye did not say who uploaded the two files, but Carr said via Twitter that the uploader was from Russia and hinted it could have been a member of the cybercrime group behind Carbanak.
The Carbanak malware has been linked to more than 100 thefts around the world, totaling more than $1 billion in losses. The cybercrime gang leader was arrested in March 2018, and three more members were arrested in August.
From the source code's discovery until mid-2018, Michael Bailey, staff reverse engineer for FireEye's FLARE team, spent nearly 230 hours analyzing the 100,000 lines of code, including some time spent learning the Russian language in order to "minimize my use of other analysts' time."
Bailey's work built upon that of his colleague James Bennett, a FireEye engineer who spent approximately 220 hours reverse-engineering Carbanak banking malware samples in 2016 and 2017 before the source was found.
In a blog post describing the analysis process, Bailey wrote that although having the source code "sounds like cheat-mode for malware analysis," the Carbanak component used to handle command and control (C2) was an example of how difficult the code was to parse.
"Depending on the C2 protocol used and the command being processed, control flow may take divergent paths through different functions only to converge again later and accomplish the same command," Bailey wrote. "Analysis required bouncing around between almost 20 functions in five files, often backtracking to recover information about function pointers and parameters that were passed in from as many as 18 layers back."
"The effort gave me an for the baroque machinery the authors constructed either for the sake of obfuscation or flexibility," he continued. "I felt like this was done at least in part to obscure relationships and hinder timely analysis."
Bailey said the Carbanak source code showed the threat actors put in "significant investments in throwing malware analysts off the scent of this backdoor." And beyond obfuscation techniques, the code analysis also found that Carbanak was designed to alter evasion techniques based on the antivirus product installed on a system.
FireEye's FLARE team notified AVG and Trend Micro about these evasion techniques when they were discovered in late 2017, and Trend Micro updated its behavior monitoring rules to counteract these techniques soon after.
Bennett wrote via email that although the team "began publicly sharing the takeaways from our Carbanak analysis in late 2018," the work needed to analyze the Carbanak source code, combined with coordinating disclosures and working with law enforcement, all affected how long it took to announce the team's full work.
"To secure our customers and the community, it's common for FireEye to immediately work privately with impacted victims and the appropriate international law enforcement entities. In the case of Carbanak, we also had to coordinate the disclosure of evasions for other security vendors that we identified while analyzing the source code," Bennett wrote via email.
"Because of the significance of the find, we expected we would publicly speak about this analysis, but spent our time providing knowledge and understanding of the Carbanak malware family back to our front lines of incident response, as well as exclusive insight into these operations in our subscription intelligence portal.
"When we decide to make certain information public, we coordinate significantly with our customers and government partners to ensure we do not additional risk or change attacker behavior -- which, in the case of Carbanak, had already changed," he said.
Jake Williams, founder and CEO of Rendition Infosec in Augusta, Ga., said "FireEye was probably in the right to sit on the code."
"There's already a ton of malware source code out there, [so] this won't significantly change the game for attackers. What is likely to change is attribution. With multiple attackers having access to the source code, we should expect false flag attacks to increase," Williams said. "The fact that they had it was useful for protecting their customers. Publishing the code before the group was largely rolled up by law enforcement [in August 2018] would have caused the group to change IOCs [indicators of compromise]."