Source code of the very successful Carbanak malware has been on VirusTotal for the past two years.
Security provider, FireEye, found it and analyzed it, and decided to go public on the discovery.
The source code for the backdoor Trojan ended up created by the successful hacking group called FIN7, also known as Carbanak, Anunak, or the Cobalt Group. This group has been responsible for over $1.12 billion in thefts from financial entities.
The attack usually starts when bank employee victims end up downloading the Carbanak malware, which then ends up used to pivot inside compromised networks.
The attackers then gain access to the right system and transfer money from a bank’s accounts or orchestrate coordinated ATM cash-outs.
This month FireEye security researcher Nick Carr found two archives uploaded on the VirusTotal malware scanning portal that contained Carbanak’s source code.
The two files, uploaded from a Russian IP address, turned out to be the real deal, and have helped FireEye better understand FIN7’s malware, even if by that time, the group had switched to using different tools.