On November 30th, an international law enforcement operation stamped out Avalanche, a large-scale content and management platform designed for the delivery of bullet-proof botnets. Avalanche’s scale and scope spanned victims from 180 countries, over 800,000 domains in 60+ top-level domains (TLD), more than one million phishing and spam e-mails, 500,000 infected machines worldwide, and 130TB of captured and analyzed data.
The coordinated effort from international law enforcement agencies that include Germany’s Public Prosecutor’s Office Verden and the Lüneburg Police, the U.S.’s Attorney Office for the Western District of Pennsylvania, Department of Justice and the Federal Bureau of Investigation (FBI), Europol, and Eurojust as well as partners in ShadowServer, resulted in one of the most successful anti-cybercrime operations in recent years. Avalanche, whose takedown was four years in the making, joins SpyEye, SIMDA, Refud.me and Cryptex Reborn, DRIDEX, ZeroAccess, TDSS, ZeuS/ZBOT, Dorkbot and Nigerian scammers, in a string of similar takedowns that thwarted malefactors from further launching cyberattacks and stealing financial data.
We also commend the security researchers and analysts who were instrumental in dismantling Avalanche, along with the support of industry stakeholders and all those who helped in this long investigation.
|Malware Family||Trend Micro Detection||Malware Family||Trend Micro
|Corebot||COREBOT||Smoke Loader / Dofoil||GAMARUE|
|Bolek||BOLEK||TeslaCrypt||RANSOM_TESLACRYPT / CRYPTESLA|
|Gozi2||GOZI/PAPRAS||Tiny Banker / Tinba||TINBA|
|Nymaim||NYMAIM / HPNYMAIM||Cerber||RANSOM_CERBER|
Figure 1. Some of the malware families leveraged by Avalanche
Information from Europol and Shadowserver Foundation cited over 20 malware families involved in Avalanche’s campaigns, which Trend Micro’s free HouseCall online scanner has detections for. Affected end users can also utilize HouseCall to remove the related files from their systems—which is as crucial as malware removal. Command and control (C&C) communications from infected machines, for instance, can still be triggered, consequently generating junk traffic that can affect system performance. A compromised machine could also be potentially configured to prevent it from accessing Internet resources such as cleanup tools and patches. Users can mitigate risks of reinfection by updating device and account credentials, checking if online accounts or backups have been modified, and ensuring that the latest patches are installed in the system.
Figure 2. Top countries affected by banking malware, Q1–Q3 2016
Cashing In on Financial Information
Aside from ransomware, Avalanche’s arsenal mainly comprised banking malware. These enabled bad guys to surreptitiously harvest e-mail and banking credentials, which cost German online banking systems approximately 6 million euros in losses.
Avalanche paints a classic picture of cybercrime’s commercialization, employing malware to cash in on the victims’ digital information. Feedback from our Smart Protection Network showed that within the first three quarters of 2016, Brazil and the U.S. had the most banking malware detections in their regions. In Europe, most of detections were observed in Germany, Italy, France, United Kingdom, Austria, and Spain. In the APAC region, Japan, the Philippines, Vietnam and China took the brunt of threats that leveraged banking Trojans.
Making the World Safe for Exchanging Digital Information
Avalanche’s infrastructure was spread across 30 countries and several U.S. states, and needed a multinational effort to take down. Trend Micro, particularly the Forward Looking Threat Research (FTR) team, works concertedly with various law enforcement agencies around the world—the Interpol, Europol, FBI, and U.K.’s National Crime Agency, to name a few—to help fight cybercrime.
We help empower international law enforcement organizations that keep watch over their cyberspace by providing the necessary technology, information and expertise. We don’t just supply data; Trend Micro also actively collaborates with law enforcement on investigations to ultimately attribute and bring to justice those behind cybercriminal attacks.
More than just working to protect our customers, Trend Micro also aims to make the world safe for exchanging digital information. Cybercrime is a growing global “enterprise,” but with five arrests, 37 searched premises, 39 seized servers and 221 more knocked offline, Avalanche’s takedown, along with similar triumphs, not only serves as a cautionary tale for would-be cybercriminals. It also demonstrates our industry’s progress in making the internet safer for everyone.