Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    October 2014
    S M T W T F S
    « Sep    
     1234
    567891011
    12131415161718
    19202122232425
    262728293031  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Feike Hacquebord (Senior Threat Researcher)




    An iPad with a retina display, a blue iPhone and a Beats by Dr. Dre headphone set, please.

    This may read like a Christmas wish list of a spoiled child, but there’s more: a red dot aimpoint for a rifle, six high-end hard drives from Intel, a GPS rescue device for sailors. These are uncommon requests for Santa Claus to receive, even from adults. This list is real though, and part of a much longer wish list of money launderers who instruct mules to ship expensive goods to Russia.

    We’ve been following a group of cybercriminals who launder stolen money in a couple of ways.  Typically, a money mule receives a wire transfer from a compromised account. Then, he is instructed to send the money overseas, using a legitimate money transfer system like Western Union. The other method they use tricks Internet users into believing they are going to work for a legitimate company that ships expensive goods like iPhones out of the US. In reality, these users will start to work for cybercriminals.

    fraudpage_moneymule_1

    Figure 1. Typical reshipping fraud site

    They are asked to receive expensive equipment at their US home address and then ship these goods to a second address, which is also in the US. From there, the goods are repackaged and sent to an address in Russia by a second mule. Initially, the mules are requested to pay the costs of the shipments themselves. After 10 successful shipments, they supposedly can reimburse expenses and are promised an extra bonus on top of their base salary. We think these reimbursements and salary payments never happen.

    Internal documentation of the money launderers suggests that their employees are indeed not treated very well. First, they are described as “drops” and second, they cannot expect to keep their job longer than 20 days. An internal note says: “the optimal time to work with a drop is 20 days.  An order made close to or after 20 days is not likely to succeed.” After 20 days the drops get dropped themselves.

    This cynical way of using throw-away workers extends to Russia. All steps for dealing with the drops in the West are clearly written in Russian documentation, which we were able to download. This documentation could be for a cybercriminal who cannot memorize a thing, but we think they are meant as a guideline for temporary Russian-speaking personnel that constantly get renewed, just like their unfortunate colleagues in the US. Also, somebody has to be on the receiving end of the parcels that are sent to Russia and the Ukraine. It is likely these workers are temporary and get replaced when the money launderers think they pose a risk to their operations.

    The internal documentation of the money launderers clearly explains in Russian how to instruct drops in the West. A new drop should first complete a test order. If that doesn’t happen within 5 days, the drop is considered “dead”. All goods that get ordered should be worth more than $300. Internet users who realize they got hired as drops for illegal purposes are clearly marked as “not trustworthy” or “not willing to work”: no parcels should be sent to them.

    In table 1 we summarized the items that were shipped by a couple of hundreds of mules. In total, shipped items are worth about $500,000 and as far as we can tell, all parcels were either sent to a suburb of Moscow or to Kiev, Ukraine.

    money-launderers-list

    Table 1. Money Launderers’ list of popular items

    The money launderers seem to take special orders too. Some months ago, they shipped hundreds of aimpoints for close range combat. These aimpoints are the more expensive red dot models for which export restrictions apply. More recently, numerous GPS units are being shipped to Russia. For these units there are export restrictions as well. Because of the export restrictions, the aimpoints and GPS units could be sold at a premium outside the US by the money launderers.

    These launderers have an extensive network of reverse proxies where they host their mule recruitment sites. Trend Micro’s Smart Protection Network blocks these sites, so that customers won’t become a victim of reshipping fraud.

     
    Posted in Bad Sites | Comments Off



    Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

    Leave No Trace

    The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a tormail.org account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

    These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

    Masked and (Not So) Anonymous

    We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

    More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

    Buying a service from a crypting service, using tormail.org, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

    Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

    The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

     
    Posted in Malware | Comments Off



    Since August 19, 2013, there has been remarkable growth in the number of Tor users, which caused much speculation. Was August 19 the starting date to run en masse from the NSA’s PRISM project? Were European internet users downloading the latest American cable TV series via Tor only, thus overcoming blockades of sites like the Pirate Bay by European ISPs? Neither was very likely, so some thought a botnet abusing the Tor network to hide its command and control server must be the reason of the sudden increase of Tor users.

    Yesterday, Fox-IT published evidence for this plausible explanation. The Mevade malware family downloaded a Tor component, possibly as a backup mechanism for its C&C communications. (We will release a second blog post describing in more detail the behavior of the Mevade variants we have encountered.)

    Feedback provided by the Smart Protection Network shows that the Mevade malware was, indeed, downloading a Tor module in the last weeks of August and early September. Tor can be used by bad actors to hide their C&C servers, and taking down a Tor hidden service is virtually impossible.

    The actors themselves, however, have been a bit less careful about hiding their identities. They operate from Kharkov, Ukraine and Israel and have been active since at least 2010. One of the main actors is known as “Scorpion”. Another actor uses the nickname “Dekadent”. Together, they are part of a well organized and probably well financed cybercrime gang.

    We strongly associate these actors with installations of adware and hijacking search results. Therefore, we suspect that one of the ways the Mevade botnet is monetized is by installing adware and toolbars onto affected systems. In fact, we have seen Mevade downloading adware. Adware and toolbars might seem less harmful than e.g. data stealing malware, but the reality is that there is a lot of money to be made in fraudulent advertising.

    We would also like to point out that Mevade also has a backdoor component and communicates over SSH to remote hosts. Therefore, the risk for data theft is still very high.

     
    Posted in Bad Sites, Malware | Comments Off



    Hacktivism and crime is a toxic combination for the health of the Internet. This was shown once again in the recent DDOS attack against Spamhaus.org that peaked at 300 Gbit/s. Spamhaus is a non-profit anti-spam organization that helps to filter spam for millions of Internet users. When Spamhaus goes down a lot of inboxes will be flooded with spam.

    The DDOS attack was allegedly orchestrated by a Dutch webhosting company called Cyberbunker and CB3Rob. This webhosting company has roots in the hacker scene and has hosted Wikileaks and the Pirate Bay in the past. Cyberbunker claims to have a datacenter in a former NATO bunker in the Netherlands. It is not clear whether that is still true today, and what exact role Cyberbunker had in the DDOS attack against Spamhaus. The owner of Cyberbunker/CB3Rob does act as the spokesman of an attack that tries to blast a company away from the Internet as if that is a normal job. Here is where so called hacktivism on the Internet has derailed totally. The boundary between crime and hacktivism has been blurred. A reality check for Cyberbunker is in order.

    Spamhaus claims that Cyberbunker/CB3rob is among the worst webhosting companies in the world. We do see problems ourselves too, but we wouldn’t rate CB3Rob as the worst webhosting company. However, CB3Rob claims that it will host anything except things related to child abuse and terrorism. This may be inspired by an idealistic view that anybody should have an uncensored access to the Internet and inspired cybercriminals as well. This is where hacktivism meets crime – a toxic combination.

    A good illustration that crime corrupts hacktivsm is that the network of Cyberbunker has been used in a BGP hijack of an IP address of a DNS server of Spamhaus (https://greenhost.nl/2013/03/21/spam-not-spam-tracking-hijacked-spamhaus-ip/). The DNS servers of Spamhaus are a vital part of its antispam protection. The hijack was an attempt to inject lots of false positives into the spam reputation system of Spamhaus. Though this hijack did not cause a lot of damage as most networks did not accept the hostile BGP announcement, the intention was clear: someone using Cyberbunker/CB3Rob’s network tried to sabotage the spam reputation system of Spamhaus. It does not resemble hacktivism, but rather resembles crime.

    Read the rest of this entry »

     



    Trend Micro has been working and collaborating with law enforcement agencies such as Federal Bureau of Investigation and Office of the Inspector General (OIG) in taking down Rove Digital, an Estonia-based cybercriminal gang. Recently, Valeri Aleksejev, one of the members of Rove Digital pleaded guilty to charges of wire and computer intrusion in the District Court for the Southern District of New York in Manhattan last week.

    Aleksejev served as one of the programmers/coders for the Rove Digital operation. He is only the second person to be successfully extradited to the United States as part of the Rove Digital case. The remaining four suspects, including CEO Vladimir Tsastin, remain in Estonia pending extradition. All six were arrested in November 2011; one suspect remains at large. Sentencing for Aleksejev is expected to occur in May of this year.

    Trend Micro took part in the takedown of Rove Digital by providing information to the law enforcement regarding Rove Digital’s infrastructure. The said investigation and collaboration with industry partners and law authorities started in 2010.

    Rove Digital is known for its click-fraud activities and use of malware like DNS changer Trojans and FAKEAV to gain monetary profit to their victims. Based on our investigation, the perpetrators behind this used DNS Trojans to hijack search results, replacing ads on legitimate websites, and installing other malware. Another means for them to earn profit is installing FAKEAV to users systems. This bogus security software can even cost around $100. For more details on Trend Micro’s investigation on Rove Digital, read our paper, Operation Ghost Click: The Rove Digital Takedown.

     
    Posted in Botnets | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice