Dear blog readers,

I recently did something very interesting and I decided to share my results and findings.

What I did was the following. While doing a  technical collection round for malicious software I came across to Carberp's source where I decided to take a peek and found out some pretty interesting and relevant personally attributable IoCs (Indicators of Compromise) which led me to further pursue an OSINT enrichment process which led me to believe and conclude that there's a high probability that Aquilla (Dmitry) from the WASM forum community could be one of the main authors of the Carberp banking trojan.

The most interesting part of this technical collection round which then turned into IoCs extraction and then OSINT enrichment based on the successfully found hardcoded IoCs in Carberp's publicly accessible and leaked source code is that I think I have managed to establish a direct connection between the hardcoded C&Cs and Is Aquila (Dmitry) from the WASM forum community.

Here's the interesting part and the actual hardcoded C&C IoCs I found in Carberp's publicly accessible source code:

hxxp://178.63.11.137 (Primary test C2)
hxxp://94.240.148.127 (Alt configuration node parsing `/cfg/passw.plug`)

Payload Drop Zones & Telemetry:
hxxp://apartman-adriana.com (http://.../temp/DrClient.dll) - Email: [email protected]
hxxp://56tgvr.info

We then have an interesting connection for one of the IoCs (hxxp://178.63.11.137) which appears to have been known to be responding to the email server for the WASM forum community which based on additional analysis appear to have been managed and operated and actually owned by Aquila also known as Dmitry (Email: [email protected]; [email protected]; hxxp://dimon.ru).

Related domain registrations for Aquila:

hxxp://symbolographia.com
hxxp://wasm.site
hxxp://posthumanism.info

Related screenshot: