According to FireEye security researchers, the source code of a backdoor affiliated with the productive FIN7 threat actor has arisen on VirusTotal together with builders and other tools from the group.
The financially-motivated actor, also known as Carbanak, has been active since 2015, mostly focused on aiming businesses globally to steal credit card information. It is believed that the group has targeted more than 100 US companies, mostly in the restaurant, gaming, and hospitality industries.
Last year, three Ukrainian nationals, one of them a supervisor, were arrested for purportedly being members of the group, but the FIN7 activity did not stop, and a fresh report discovered the use of a new malware family in recent attacks.
Carbanak, the group’s full-featured backdoor, which has been used to commit millions of dollars, has been examined numerous times before. Now, the security researchers have a new viewpoint on the malware, thanks to two RAR archives comprising the full Carbanak source code.
The code was 20MB is size, comprising 755 files, with 39 binaries and 100,000 lines of code, FireEye says in a series of blogs specifying the investigation of the source code and its conclusions.
To evaluate the code, which is in Russian, a script that would generate an arranged vocabulary list was used (available on GitHub), which led to a 3,400+ word vocabulary list. This enabled the researchers to read comments in the code and helped with the translating of the Carbanak graphical user interfaces found in the source code dump.
“When the CARBANAK tasking component receives a command, it forwards the command over a named pipe where it travels through several different functions that process the message, possibly writing it to one or more additional named pipes, until it arrives at its destination where the specified command is finally handled,” FireEye explains.
“The CARBANAK source code is illustrative of how these malware authors addressed some of the practical concerns of obfuscation. Both the tasking code and the Windows API resolution system represent significant investments in throwing malware analysts off the scent of this backdoor,” FireEye concluded.