Carbanak’s source code, one of the world’s most dangerous malware, has been released on VirusTotal for two years, but almost no one knows it, even the security company has not noticed. In the end, the security researcher of the US network security company FireEye discovered Carbanak, and the official website has published a blog post that analyzed the Carbanak source code in detail, and the network security community can learn.
Carbanak malware is a backdoor Trojan, sometimes referred to as FIN7, Anunak or Cobalt. FIN7 is by far one of the most dangerous and prolific hacking organizations in the world, specializing in hacking attacks on banks and financial institutions, stealing over a billion euros from more than 100 banks across the globe.
FIN7 typically infects Carbanak malware through bank employees and enters bank-sensitive systems. For many years, most of the security researchers who were tasked with investigating FIN7 attacks have mastered the Carbanak malware, but they only have compiled versions, which are difficult to analyze and fully understand. However, the situation changed in April 2019, and FireEye security researcher Nick Carr found two files on the malware scanning portal VirusTotal, which contained the source code for Carbanak. The Carbanak source code is 20MB and contains 755 files. The two files were uploaded from an IP address in Russia.
“CARBANAK source code was 20MB comprising 755 files, with 39 binaries and 100,000 lines of code,” researchers say. “Our goal was to find threat intelligence we missed in our previous analyses.”
Today, the FIN7 organization has ceased to exist. In March 2018, Europol arrested the leader of the group in Spain. In August of the same year, the Ukrainian police arrested three suspects. However, other members of FIN7 did not give up. According to several sources from the cybersecurity industry, the FIN7 organization seems to have split into smaller gangs and still target the banking industry.