NotCarbanak Mystery - Source Code Leak
I got a tip a very short time ago in our slack group about possible Carbanak source code leak.
A quick google search proven this is indeed a possibility.
Please make sure you use proper security steps such as sandbox and isolated environment.
The origin of this zip files is unknown and was not inspected for booby traps etc.
This file was uploaded for research and defense purpose only. If you plan to use this for malicious reasons you suck.
If you are creating any signatures such as Yara and Snort please share back with the community.
My team at Minerva have organized the information into a single blog post:
Some on-going updates posted during the initial investigation:
I wouldn't put a solid carbanak tag on it just yet :) it sure has similarities...— Denis O'Brien (@Malwageddon) July 11, 2018
after deeper look into Ratopak we should say - it is not original Buhtrap but Pegasus. Pegasus and Buhtrap have very similar TTP. So, Ratopak is the right shot here.— codelancer (@codelancer) July 11, 2018
Comodo signed binaries from this #carbanak leak (CN="\"Allegro\" LLC", O="\"Allegro\" LLC", STREET="Nagatinsky 2ND, 2,2", L=Moscow, ST=Moscow, OID.188.8.131.52=115487, C=RU) leads to this attack on Russian banks:https://t.co/LTbCr8CVu6https://t.co/gmcw2xk76H— Omri Moyal (@GelosSnake) July 11, 2018
At least some parts of the source code leak fit to Buhtrap/Ratopak (f4ae5579930f20ccc41d1f8b1e417e87) code as described here: https://t.co/zkcv05OaEC #carbanak #buhtrap #ratopak pic.twitter.com/rqQrzIxFJF— Daniel Plohmann (@push_pnx) July 11, 2018
Probably why this group was called Pegasus before the leak: pic.twitter.com/nySAMXek6o— Omri Moyal (@GelosSnake) July 11, 2018
And of course, Enums visible machines in current or any specified domain pic.twitter.com/KD0bFGCSD1— Bʀʏᴀɴ (@bry_campbell) July 11, 2018
Somebody leaked the Carbanak source code last week— Catalin Cimpanu (@campuscodi) July 11, 2018
I've been talking with several security researchers who are currently trying to verify the code's authenticity and they believe it to be the real thing, albeit they're not 100% sure just yet pic.twitter.com/8sAUHPEgnv
Here's a video of the arrest: https://t.co/vzKhroTYFt— Catalin Cimpanu (@campuscodi) July 11, 2018
Are you wondering why the leaked #carbanak zip files are named after @groupib ? Well they are the firs to discover #carbanak which was named Anunak by them. Also been actively working against the hacker group for many years. pic.twitter.com/UobwEj0SWK— Omri Moyal (@GelosSnake) July 11, 2018
This #RatoPak / (not) #Carbanak leak investigation and discussions really shows once again how difficult attribution can be and why security researchers should collaborate as much as possible. Long night a head of us (:— Omri Moyal (@GelosSnake) July 11, 2018
Confirmed Link: '#Pegasus' shares some code lib struct with #Buhtrap and appears to be an improved/altered version of the leaked Buhtrap main 'lib' (machineid, mem, etc.) 🤔 h/t @push_pnx for lead— Vitali Kremez (@VK_Intel) July 11, 2018
Exact Code Overlap:
buhtrap/11. DLL Side-Loading+panel/.../libs/ -> pegasus/inc/ pic.twitter.com/NlvcD7ecLO
List of bank possibly hacked and found in the leak:— Omri Moyal (@GelosSnake) July 11, 2018
AK BARS Bank