The infamous Carberp trojan is again on sale on underground markets for $40,000, four times the original asking price.
RSA researchers found the banking malware had returned after a nearly two-year hiatus.
The crime gang last sold Carberp in February 2011, and abruptly retreated underground about a month after selling the trojan for $10,000 in closed Russian online forums.
In June, a central operator of the botnet, known by the online alias Hermes, was arrested by Russian authorities. Several other cyber gang members were also apprehended by police in 2011.
The botnet was among the world's largest banking networks detected at the time and was believed to have caused US$4.5 million in loses, primarily impacting users in Russia. Carberp is delivered via Black Hole exploit kit campaigns, or drive-by downloads, RSA says.
RSA's fraud action research intelligence expert Lab Limor Kessem told SC Carberp attackers returned to take advantage of an opening in the marketplace left by the withdrawal of activity on the Citadel network.
The researchers announced last week that a key Citadel developer was banned from one of the largest online groups that sells the banking trojan, indicating that the group was steadily withdrawing from the commercial market to privatize their operations.
“We saw this happening about two weeks after what occurred with the Citadel [network]," Kessem said. “Carberp is a private gang, and they don't usually sell their trojan commercially. They usually do this to collect money for another campaign.”
The network will likely disappear again when it is satisfied with sales from its high-ticket, revamped trojan, she added.
Updates to the malware include bug fixes and a bootkit version, which commands the US$40,000 price. The trojan is also being offered for monthly use fees between US$2000 to US$10,000 range.
This latest Carberp variant contains code from another trojan, Rovnix, an “advanced bootkit-type threat that infects the Volume Boot Record”, according to RSA.
Kaspersky researcher Denis Maslennikov said a mobile version of the Carberp trojan had been detected on Android phones in Russia.
“There is no secret that online banking is becoming more and more popular in Russia, and banks are very active in promoting online banking with various authorization methods,” Maslennikov said.
When users with Carberp-infected machines visit their banking sites, the trojan modifies the web page and invites users to download an application "allegedly necessary for logging into the system", Maslennikov said.
Users were then directed to enter their phone number or scan a QR-code to receive a link to download the malicious app via SMS message.