Meet Carberp, the Bank Service Hitman

Building on the technologies implemented in Zeus and the Brazilian Bankers, Trojan.Downloader.Carberp.A has rapidly obtained its membership card in a rather exclusivistic club of banker Trojans

Long gone are the times when the few existing malicious applications were designed in order for their creators to play pranks on their colleagues. The rapidly evolving malicious landscape has replaced them with state-of-the-art money makers such as the snitch we’ll be discussing about below.

Make no mistake about it; the 72 KB downloader called Trojan.Downloader.Carberp.A packs quite a punch. It is meant to intercept, manipulate and steal the confidential information a computer user might send or receive over the Internet; and what is particularly disturbing about it is the fact that it snatches login credentials from sites that require log-in sessions over an SSL connection, be they online banking services, e-mail providers or any other online services subject to authentication. Initially designed to protect the user from prying eyes, the SSL and HTTPS technologies actually mark the respective users as targets. Apart from keeping an eye on every service that is important enough to force SSL authentication, Trojan.Downloader.Carberp.A is also instructed to monitor a list of websites containing quite a few e-banking portals.

How can you get infected?

Once it gets executed on the computer, Trojan.Downloader.Carberp.A creates a couple of temporary files in the %temp% folder, then copies itself in the Windows Startup folder in order to execute itself after every boot or restart. The approach may seem rudimentary as compared to the one used by other families of malware that add startup entries to the Registry. However, it’s this very depreciation that allows Trojan.Downloader.Carberp.A to execute itself on newer operating systems, or under users without administrative privileges. Right after the infection, the downloader connects to a C&C server, from which it will download an encrypted configuration file, along with additional fire-power such as plug-ins allowing it to intercept Internet traffic and to kill whatever antivirus it may find on the recently infected computer. In return, Trojan.Downloader.Carberp.A sends the C&C server a unique ID and it uploads a list of currently running processes via a GET request.  

After it has successfully copied itself in the startup folder as either syscron.exe or chkntfs.exe, it hides its presence by using function hooks in ntdll.dll in order to intercept any calls to NtQueryDirectoryFile and ZwQueryDirectoryFile, which results in the user’s inability of seeing its files when using Windows® Explorer® or the command-line dir query.

Making use of certain hooks in the local internet browser, this malicious downloader intercepts the victim’s credentials and sends them to a C&C server the moment the computer user logs in through an SSL session.

The aim of this Trojan is twofold:

  • on the one hand any SSL-based authentication session allowing access to online banking, e-mail and social network accounts may get intercepted and the confidential data stolen, since every time a person logs in, Trojan.Downloader.Carberp.A steals the credentials (even before they get to be encrypted) and sends them to its C&C server over HTTP. By the time the log in request reaches the bank the credentials, will, unfortunately, have already fallen in the hands of the attackers.
  • on the other hand, Trojan.Downloader.Carberp.A also targets certain banks (in Germany, Denmark, the Netherlands, US and Israel) following precise instructions which it receives from the C&C server along with the configuration instructions.

This sophisticated approach to the by now classic man-in-the-browser attacks provides a lucrative financial tool designed to steal money especially from online service customers and SMBs. It is worth mentioning Trojan.Downloader.Carberp.A’s ability to install without administrator privileges, its ability to attack systems that run the latest versions of OSs and the fact that it doesn’t make any changes in the Registry.

BitDefender® customers have been protected since day zero via generic packer routines included already in the signature database. If you are not protected by a BitDefender product, you may download the free removal tool from the Downloads section and check out whether you are infected or not. Alternatively, you may also run a 60-second QuickScan to see if your system doesn’t hide other badware you may not be aware of.


Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author


A blend of teacher and technical journalist with a pinch of e-threat analysis, Loredana Botezatu writes mostly about malware and spam. She believes that most errors happen between the keyboard and the chair. Loredana has been writing about the IT world and e-security for well over five years and has made a personal goal out of educating computer users about the ins and outs of the cybercrime ecosystem.