The Police Trojan has been targeting European users for about a year. It should come as no surprise that the latest incarnations of this obnoxious malware have started targeting the United States and Canada.
In the latest batch of C&C servers we have analyzed, not only has the list of countries increased but also their targets are now more specific. For instance, UKash vouchers are not available in the U.S., thus the U.S. fake police notification that spoofs the Computer Crime & Intellectual Property Section of the U.S. Department of Justice, only mentions PaySafeCard as the accepted payment method. The criminals also took the time in adding plenty of logos of local supermarkets and chain stores where the cash vouchers are available.
Beyond the facade of this criminal attack, we know there is a Russian-speaking gang, which we theorized in our last paper, that had a link to the new Gamarue worm making the rounds in recent months. We can now add another compelling link: the fake police domain worldinternetpolice.net announced by the Trojan, has the same registrar as the confirmed Gamarue worm C&C server photoshopstudy10.in. The first time a researcher sees such a link, it might just be pure coincidence. The second and third times, the link starts to solidify.
What is becoming crystal clear is that the same Eastern European criminal gangs who were behind the fake antivirus boom are now turning to the Police Trojan strategy. We believe this is a malware landscape change and not a single gang attacking in a novel way. We also found C&C consoles that suggest a high level of development and possible reselling of the server back-end software used to manage these attacks. Police Trojan attacks are here to stay – until they are done milking this cow and have to look for a fatter one, that is.
You can read our full report on the Police Trojan in Security and Intelligence section of the Trend Micro website.