Carbanak malware was recording video of victims' desktops

Following hundreds of hours analyzing the Carbanak malware and source code, security researchers found surprising features and complexity, including the ability to record video of infected desktops.

Michael Bailey and James Bennett, staff reverse engineers for FireEye, spent a combined 469 hours analyzing the Carbanak backdoor and its source code over the course of two years. Bennett reverse engineered the Carbanak malware itself and Bailey analyzed the source code discovered posted to VirusTotal in August 2017.

Bailey's analysis of the Carbanak source code uncovered a complex piece of malware that included features such as vendor-specific antivirus evasion techniques, obfuscation techniques, a built tool to allow for different configurations and even a custom built video player and file format. Bailey said in part four of his analysis that the video player was used to view "recorded desktop videos to gain an understanding of the operational workflow of employees working at targeted banks, allowing them to successfully insert fraudulent transactions that remained undetected by the banks' verification processes."

Bailey told SearchSecurity that the "sophistication and complexity is a step above the typical backdoors I've seen."

"The project has many moving parts, mixed native and .NET code, integration with several open source codebases, and very fully featured GUI control. The authors were assiduous and productive in their refactoring and reuse of outside code. I noted at least 15 cases of code apparently lifted from public repositories. Managing all this must have taken some serious focus," Bailey wrote via email. "As far as developer maturity though, this team appears to have been hard-working and well-organized."

Bennett agreed in emailed comments, saying, "In my career as a malware reverse engineer over the past seven years, this is likely the second most complex malware family I've had to analyze fully."

Bailey added that the most complex part of the Carbanak malware was the tasking code, which he described as "the most byzantine piece of unpacked malware logic I've ever witnessed (in source or binary)."

In my career as a malware reverse engineer over the past seven years, this is likely the second most complex malware family I've had to analyze fully.

In part one of his analysis, Bailey described the tasking code as making the Carbanak malware "an entirely different beast."

"It utilizes a Windows mechanism called named pipes as a means of communication and coordination across all the threads, processes and plugins under the backdoor's control," Bailey wrote. "When the Carbanak tasking component receives a command, it forwards the command over a named pipe where it travels through several different functions that process the message, possibly writing it to one or more additional named pipes, until it arrives at its destination where the specified command is finally handled."

Bennett said the tasking mechanism surprised him the most because "that lends much to its sophistication."

"This is what Mike had jokingly referred to as 'the diabolical circus of named pipes' in our Cyber Defense Summit talk. This tasking system is how the Carbanak backdoor receives its commands and command-related data," Bennett wrote via email. "The amount of engineering that went into this mechanism, when compared to the level of effort usually put forth by other malware authors for this essential part of the project, was surprising."

Bailey said the component of the Carbanak malware that surprised him the most was the use of shellcode specifically built to run Metasploit.

"The Metasploit feature surprised me because launching a publicly available tool via this fully featured, privately developed backdoor struck me as being a little bit like sneaking a ham sandwich into a banquet," Bailey said. "But this is consistent with the change in tactics and tools that FireEye saw with FIN7, one of the financially motivated cybercrime organizations observed using Carbanak. It also might dovetail with the fake security company (Combi Security) operated by FIN7. Maybe the A-team would break in and get a strategic foothold using Carbanak and then spin off Meterpreter so that their potentially unwitting pen-tester employees could go accomplish operational goals without having access to the good stuff?"