Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked

On July 6, 2018, a post claiming to contain the source code of Carbanak group malware was published on a Russian-speaking underground forum. Soon after the sharing of the code on the Russian underground, it was uploaded by an unknown actor to the text-sharing platform Pastebin, making it accessible to all. At the same time, malware researchers analyzing the shared code discovered the malware is not one used by the Carbanak group, but rather, it is the Ratopak/Pegasus spyware, used in attacks against Russian banks in 2016. Continue reading “Source Code of Ratopak/Pegasus Spyware Targeting the Financial Sector Recently Leaked”

#OpIcarus – a War against the Global Financial Sector

During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.

Platforms

The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.

From the #OpIcarus IRC Channel

Attacks and Tools

According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.

A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.

Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England
Member of Ghost Squad Hackers claimed they shut down the mail server of the Bank of England

In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.

Chase Bank's technical support tweeted about a problem with their ATMs
Chase Bank’s technical support tweeted about a problem with their ATMs
Ghost Squad Hackers claim that Chase ATMs were hacked during #OpIcarus
Ghost Squad Hackers claimed that Chase ATMs were hacked during #OpIcarus

Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.

A member of Ghost Squad Hackers claimed they hacked a website related to the NYSE
The NYSE announced that they had a technical issue that affected their daily activity
The NYSE announced that they had a technical issue that affected their daily activity

With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.

A call to use Booters on an #OpIcarus event page
A call to use Booters on an #OpIcarus event page

This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

Ukraine Accuses Russia of Invasion – Ukrainian Hackers Set to Retaliate

Earlier today (August 28, 2014) Ukrainian President Petro Poroshenko said that Russia has sent troops to eastern Ukraine. Ukrainian hacker groups are quickly aiming to retaliate – Anonymous Ukraine plans to attack a number of Russian bank websites and the official websites of the Russian President . The first target was sberbank.ru, and the attack was planned to take place on August 28 at 16:00.

Anonymous Ukraine is threatening to carry out DDoS attacks
Anonymous Ukraine is threatening to carry out DDoS attacks

Other websites on the list include:

Threats to wage cyber attacks on sberbank.ru
Threats to wage cyber attacks on sberbank.ru

The “Week of Horror” Cyber Campaign

Written by Hila Marudi

The Tunisian Hackers Team has threatened to hack the U.S. financial sector during the “Week of Horror” campaign, scheduled to begin on July 5, 2014.

Week_of_Horror_Campaign

The group published an official target list and attack schedule. According to the timetable, every day during this week, another U.S. bank will be attacked by DDoS for an eight hour period.

Bank Website Date Time
Whitney Bank http://www.whitneybank.com July 5, 2014 13:00 GMT
Union Bank http://www.unionbank.com July 6, 2014 13:00 GMT
Zions Bank http://www.zionsbank.com July 7, 2014 13:00 GMT
New York Community Bank http://www.mynycb.com July 8, 2014 13:00 GMT
TCF Bank http://www.tcfbank.com July 9, 2014 13:00 GMT
Prosperity Bank http://www.prosperitybankusa.com July 10, 2014 13:00 GMT
Banner Bank http://www.bannerbank.com July 11, 2014 13:00 GMT

The group demands that the U.S. withdraw its soldiers from Islamic countries, or they will attack U.S. targets, such as airport computers. The group also demanded that the U.S. respond via the group’s Twitter account, @xhckerTN.

Press release by the group
Press release by the group

The “Liberalization” of Cyber Crime

Written by Yotam Gutman

The British Bankers Association (BBA) announced last week that robberies at British banks have fallen by more than 90 per cent in less than two decades (http://www.bba.org.uk/media/article/the-decline-of-the-british-bank-robber).

The decrease in bank robberies has been mirrored in the United States, where FBI figures put the number of bank robberies nationwide at 3,870 in 2012 – the lowest in decades. However, while violent bank robberies are dropping, banks and other financial institutions are being increasingly targeted by cyber-criminals.

This switch can be attributed to improved bank security on the one hand and the combination of the relative ease of perpetuating cyber theft and less severe punishment inflicted on convicted cybercriminals on the other hand. Check the following comparison table to see which pros and cons are weighed by would-be criminals before they decide if they wish to engage in real or virtual (cyber) crime:

Cyber theft

Actual bank robbery

Criteria

Damage to the eyes due to many hours gazing at the screen

High probability of injury or mortality

Danger level

Not that hard

Very hard to execute flawlessly

Difficulty

Endless

Limited to how much you can carry

Potential financial value  

Perhaps a few years in a low security prison, where you are likely to enroll in an “Internet” course

20 years in a maximum security prison, small cell with a roommate named “Axe

Potential punishment

The comfort of your home

Some run-down bank branch

Location

None required

Guns, bank security procedures, driving

Previous know-how

Script – kiddies to bored teenagers – Russian mobsters

Violent, adrenaline–seeking disregard for the law

Appeals to

However, this only tells a part of the story. The real revelation is not how widespread cyber theft has become, but how easy it has become to execute.

Although the notion within the general public is that cybercrimes, and especially theft from banks, are committed by highly skilled computer experts, the truth is that today one does not need special skills to become a cybercriminal, just the desire, courage and some basic IT skills (some initial funding wouldn’t hurt either).

We have repeatedly identified attack tools sold on underground platforms that make cyber-theft child’s play. One simply needs to buy (or rent) these tools and activate them to start generating cash (and breaking the law). For instance, during March 2013 a veteran member of a Russian password-protected forum offered a MitB (Man-in-the-Browser) service for different bank sites and other sites where credit cards are used. The details are stolen from the victim when he tries to browse his bank site by planting a fake page instead. In May that year, another tool named MMBB (Money-maker Bank Bot) was offered on another forum, this time without the need to download and install the tool but as a (criminal) service. Pricing options vary according to the service level – the basic package is priced at $4,999 (per month), but a more comprehensive package, including 24/7 helpdesk, costs $6,499 amonth. True, these are hefty sums, but when measuring the possible income of the would-be cybercriminal they pale in comparison.

Cybercrime is undergoing a rapid liberalization process, meaning that the capabilities thatwere once reserved for an elite few are now at the disposal of practically anyone (with motivation and Internet access).

The outlook for the future isn’t rosy. With more and more people around the world gaining access to computers and the web, the number of potential victims is quickly rising. With cybercrime tools becoming more commonplace, more people will surely exploit this fact to try and generate quick cash (or virtual cash) with the aid of the tools sold on the underground.