• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Malware   »   SpyEye-using Cybercriminal Arrested in Britain

SpyEye-using Cybercriminal Arrested in Britain

  • Posted on:May 22, 2014 at 8:59 am
  • Posted in:Malware
  • Author:
    Trend Micro
0

We’ve recently seen multiple arrests and take downs of cybercriminals and their infrastructure. Here is another one to add up. Law Enforcement in England has arrested and prosecuted a cybercriminal called Jam3s in cooperation with Trend Micro. His real identity is James Bayliss. James ran some SpyEye command-and-control servers and also coded a SpyEye plugin named ccgrabber. More than four years after the investigation started, this cybercriminal has been successfully prosecuted.

James worked closely with Aleksandr Andreevich Panin, a.k.a Gribodemon in coding the ccgrabber plugin for SpyEye. This plugin was used to collect credit card numbers, CVV’s by analyzing the POST request made by the infecting machine.

One of James’s SpyEye servers was installed on the IP address 91.211.117.25 that was active during September 2010. Below is the SpyEye configuration file we decrypted:


Figure 1. SpyeEye configuration file

Jam3s had many connections in the underground scene and friends he has made during his online criminal career. They mostly appear to be criminals that run botnets and/or write botnet code. He communicated frequently with Mr Panin, a.k.a Gribodemon and has made friends with Hamza Bendelladj, a.k.a bx1. Trend Micro has also participated in the arrest of Mr Panin as well as Mr Bendelladj. These arrests were part of a global investigation that involved the SpyEye malware and several associated cyber criminals.

Other accounts from ICQ that he associates with are SpyEye notify, Death/Cripter, Criminal, and Parabola, just to name some.


Figure 2. Associated accounts

This arrest shows how security companies, working closely with law enforcement agencies, can deliver results. By going after the cybercriminals themselves instead of their servers, we ensured that permanent damage was done to the whole underground, instead of relatively quick and easily repairable damage caused by takedowns. We believe that this is the way to attack cybercrime and make the Internet safer for all users.

Malware associated with the IP address 91.211.117.25:

  • 91.211.117.25/se/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Mon, 30 Aug 2010 12:44:07 UTC
  • 91.211.117.25/se/bin/build.exe 91.211.117.25 df30623d3c1aab7321ac0653cb09f2b7 Mon, 30 Aug 2010 12:38:00 UTC
  • 91.211.117.25/sp/admin/bin/build.exe 91.211.117.25 8904d483008d6284a8f76fb5b9a7cb39 Sat, 11 Sep 2010 02:06:27 UTC
  • 91.211.117.25/sp/admin/bin/upload/gbotout.exe 91.211.117.25 87a5f7c496975c778d8c866195c9a7a5 Sat, 11 Sep 2010 02:06:42 UTC
  • 91.211.117.25/sp/admin/bin/upload/out1.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:59:16 UTC
  • 91.211.117.25/sp/admin/bin/upload/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Sat, 11 Sep 2010 00:58:58 UTC
  • 91.211.117.25/sp/admin/bin/upload/pedoout.exe 91.211.117.25 c35e406871df034041d5a92bcb01c85b Sat, 11 Sep 2010 02:07:08 UTC
  • 91.211.117.25/spy/bin/621430spyeyecrypted.exe 91.211.117.25 179d5d6c506a785d0f700468bf8ac97c Sat, 11 Sep 2010 02:07:27 UTC
  • 91.211.117.25/spy/bin/build.exe 91.211.117.25 ed3a6cdca7d3d6f22b0232fe5fabe3b1 Wed, 18 Aug 2010 12:15:19 UTC
  • 91.211.117.25/spy/bin/build.exe 91.211.117.25 f4ec7689e35c396f16e4d035f56fb391 Mon, 26 Jul 2010 19:19:04 UTC
  • 91.211.117.25/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 18:26:34 UTC
  • 91.211.117.25/spy/bin/out.exe 91.211.117.25 143fdd161c7360060d30f540d7a86b27 Mon, 06 Sep 2010 00:22:32 UTC
  • 91.211.117.25/spy/bin/spyeye.exe 91.211.117.25 d69b970afe781b385b9c4856dd1690ea Sat, 11 Sep 2010 00:44:12 UTC
  • advertisement1.com/spy/bin/build.exe 91.211.117.25 78a9d665c854873d7c4221935558f8ab Sat, 25 Sep 2010 00:22:29 UTC
  • advertisement1.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Tue, 14 Sep 2010 03:24:30 UTC
  • hvavac.com/spy/bin/build.exe 91.211.117.25 fbbdbc7a18ea27b571c1a58e5c38aa6c Mon, 30 Aug 2010 01:08:47 UTC
Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: arrestSpyEyetakedown

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.