• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   Dutch TorRAT Threat Actors Arrested

Dutch TorRAT Threat Actors Arrested

  • Posted on:October 27, 2013 at 7:40 pm
  • Posted in:Malware
  • Author:
    Feike Hacquebord (Senior Threat Researcher)
0

Four men were arrested a week ago in the Netherlands for spreading the so-called TorRAT malware. This malware only targeted Dutch speaking users and utilized the Tor for is command and control (C&C) servers. Its primary goal was financial theft from online banking accounts. Our Threat Encyclopedia entry for TROJ_INJECT.LMV provides a more in-depth description of the malware. Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages. These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers.

Leave No Trace

The Dutch threat actors were careful in hiding their tracks. As mentioned earlier, they used Tor hidden C&C servers. They had a tormail.org account for e-mail communications and they used underground crypting services to evade detection from antivirus software. The digital currency Bitcoin was used to launder their stolen money and make payments to fellow cybercriminals.

These made investigation into the identity of the actors difficult; however, the Dutch National High Tech Crime Unit (NHTCU) was able to arrest them. We don’t know exactly what fatal errors the gang made, but we know that just a couple of mistakes on their end can reveal their true identities.

Masked and (Not So) Anonymous

We have been following the gang for some time and we were able to draw a few useful conclusions. The first obvious one was that we were really dealing with a native Dutch speaker. Looking at one of the 300+ malware binaries the gang has spread, we believe they made use of an Armenian crypting service called “SamArt”. Crypting malware makes detection by antivirus companies more difficult, but when you want to hide your identity, contact with a third-party tool puts you at risk. In addition, during the fall of 2012, some of the C&C servers were not hosted on Tor hidden services, but in a Turkish data center.

More importantly, the gang faced a classic problem, which their pre-Internet fellow thieves have also faced: stealing money is the easy part. Getting stolen money in your pocket as your own is the difficult part. It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money. The Dutch gang allegedly laundered money through bitcoin transactions and even set up their own bitcoin exchange service, FBTC Exchange that went dark after the arrests.

Buying a service from a crypting service, using tormail.org, and recruiting and abusing money mules puts cybercriminals at risk of getting caught. A single error can lead to the unraveling of the whole cybercrime operation. Tor offers a high degree of anonymity, but Tor tools are not immune to data leaks.

Additionally, at some point the bad actor has to appear from behind the Tor curtain to put stolen assets to actual use. This means that the cybercriminals hiding behind Tor are not untraceable per se. This was proven by the recent arrest of the operator of Silk Road, an underground marketplace for illegal drugs. The Silk Road owner used Tor, but was caught by the FBI by a thorough investigation of bits of evidence left on the Internet.

The Mevade botnet, responsible for a sudden increase of Tor users in August 2013, was traced back by us to be the work of a Ukrainian/Israeli adware company. And now, the Dutch NHTCU has tracked down a gang who abused Tor for stealing money from Dutch Internet users. We congratulate our friends at NHTCU with this great and impressive result.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: cybercrimeDeep Weblaw enforcementMevadeSamArtsilk roadTorRAT

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.