The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

2 thoughts on “The Latest Trends in the Russian Underground – H1 2015 Summary

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s