Recent Trends from the Russian Underground

Being a successful hacker can be a very demanding profession. Maybe the most important trait required for this job is being innovative and keeping updated of recent trends. Just like in physical fitness – a couple of weeks away from of the gym, and you feel left out of the loop – such is the case with hacking. You take sick leave from the cybercrime scene for a brief period of time and when you return, you feel like a lot has changed. This scene is very dynamic: new threats and vulnerabilities are constantly being discovered and then patches and security updates released; new Trojans are sold on the underground and then the source code is leaked, rendering them of no interest anymore. Something is always going on.

This time, we want to draw your attention to recent trends identified on the Russian underground, from leading forums and other web-platforms.

Untitled

A Wider Variety of Crypt (Obfuscation) Services for sale on Trading Platforms

We have observed a sharp increase in threads offering crypt services for malware files lately. In the last month alone, we traced at least 20 active threads advertising crypt services for .exe or .dll files on different forums. There is a wide assortment and the prices are competitive. You can choose between a one-time service for $15 – $50 per file or a monthly subscription for a service starting at $150 for a new vendor and $500 for a well-known, time-honored service.

The main purpose of the crypt is to bypass AV, firewalls, browsers and malware detection, etc. and it is valid for 24-72 hours on average. Increased offerings of this service indicate a growing demand, which may be motivated by two main reasons: increased volume of activity linked to botnets and difficulty in bypassing security mechanisms that are becoming more sophisticated. Actually, we think it is a combination of the two – more and more cyber criminals are attracted to easy profits from running a botnet, while security firms try to fight back and refine their defense mechanisms. The crypt services happened to be in the right place at the right time to rake in the money.

More Malware Using Tor Browser

In recent months, new Tor-based malware has appeared on underground trading platforms. The newest is a TOR Android bot named “Slempo” and a TorLocker Ransomware (the first one rented for $500 per month after a connection cost of $1000 and the second one is sold for $200). Before that, we saw Atrax HTTP Tor Bot, whose admin panel is located on a TOR browser.

Using Tor hidden services provides anonymity to the botnet operator, as it is almost impossible to reveal the identities of TOR users. The disadvantage of this method is the large size of the malware files and the significant resources needed to manage such a botnet, owing to the integration of TOR.

As we see it, this may turn out to be quite an alarming trend, making the detection of botnets and their initiators that much more difficult.

Greater Focus Granted to Firmware Attacks

As previously mentioned, cyber-criminals wage a constant battle against evolving defense mechanisms. While more and more obstacles are placed in the path of the hacker seeking to access your PC, his path to firmware devices such as ATM and POS remains almost clear. The operating system of these devices is usually the common Windows XP, and due to their physical aspects (the possibility of inserting physical malware into an ATM, for instance), it is much harder to protect them.

Hackers have also discovered this vector – we were recently privy to numerous discussions about ways to attack ATMs, as well as an increasing number of POS malware for sale and download.

In our opinion, we may be witnessing a gradual shift in the main targets of cyber-criminals – from the personal PC to large-scale devices of organizations. Recent attacks executed via POS devices on Target, Neiman Marcus and other retailers merely corroborate this claim.

SenseCy is coming to town! Come meet us at the RSA USA 2014 conference, February 24-28, in San Francisco.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s