Suspicious Domains Selling Tickets to the Tokyo 2020 Olympics

Tokyothumbnail_840x620

As a cloud of uncertainty still hangs over the opening of the Tokyo 2020 Olympics due to the Coronavirus pandemic, cyber criminals are still working (remotely) on finding ways to maliciously profit from the event.

Events at the center of global attention such as major sports events and tournaments are often used by attackers to trick users into phishing scams, malware campaigns and the theft of personal and payment details.

We have been monitoring potential threats to the upcoming Tokyo 2020 Olympics for our customers and we recently discovered two suspicious domains allegedly selling tickets for the Games. In both cases, further investigation led us to find additional suspicious domains allegedly selling tickets to the Euro 2020 tournament. In this blog post you can find a summary of our findings.

tickets-tokyo2020[.]com

The domain tickets-tokyo2020[.]com was created on February 11, 2020 by a private registrant at the NICENIC INTERNATIONAL GROUP domain registrar.

When accessing the domain, the user is presented with a page in Russian where the official logo of the 2020 Tokyo Olympics appears. It is also stated that this website is an “authorized Ticket Reseller” for the Olympics. However, we could not find this domain in the list of authorized resellers on the official website of the 2020 Olympics. The user can change the language of the website to English and the website contains search fields, where the user can search for a specific event in the Olympics, for which they are looking to purchase tickets. At the time of publishing this post, the search option does not appear to function, thus, it is possible the website is still under development. There is also a “cart” banner where the user is supposed to be able to view the selected tickets and pay for them.

tickets-tokyo-1-1024x562

tickets-tokyo2020[.]com

This domain is hosted on the 5.45.72[.]40 IP address, together with only two more domains: ticket-mafia[.]com and euro-2020-tickets[.]com. The ticket-mafia[.]com domain was created on November 2016, and until December 20, 2019, it was registered by a private registrant at the GoDaddy domain registrar. However, on December 20, 2019, its registry was updated by a private registrant and was registered at the same domain registrar as the tickets-tokyo2020[.]com domain, NICENIC INTERNATIONAL GROUP.

The ticket-mafia[.]com domain displays a login page in Russian. It is worth mentioning that when inserting HTTPS:// before the tickets-tokyo2020[.]com domain, we were presented with the same login page of ticket-mafia[.]com. There is no option to sign up and therefore we believe it is designed for a user with preset login credentials, presumably the admin of the websites. We estimate the login page leads to a backend dashboard of some kind, although it remains unknown whether it is used for legitimate purposes or not.

login-window-small

Login Window

The euro-2020-tickets[.]com domain was created on January 6, 2020, by a private registrant and is also registered at the NICENIC INTERNATIONAL GROUP domain registrar. This website resembles the tickets-tokyo2020[.]com: it is also presented in Russian and uses the official UEFA Euro 2020 logo, it enables the user to switch the language to English and it allows users to search for a specific match. However, in this case, the search function does work. Upon selecting a match and a seat, the user can select the “order” function and enter his name, phone number and email address and move on to the payment, yet the “Go to the payment” button does not work, as of the time of publishing this post. Of note, the official UEFA Euro 2020 website specifically states that “Third-party ticketing websites and secondary ticketing platforms are not authorized to sell tickets for UEFA EURO 2020”. Thus, it appears this website is not an official Euro 2020 tickets reseller and is not authorized to offer tickets for the tournament for sale.

euro-tickets2020-1

euro-2020-tickets[.]com

In light of these findings, we estimate that the above domains were created by the same actor. Our investigation did not reveal any malicious activity associated with these domains. However, it appears that these are not official resellers of tickets for the two events. In addition, as the search function in the Tokyo 2020 domain and the payment function in the Euro 2020 domain do not work, it appears that these domains are still under development, and thus could materialize into a more serious threat in the future.

olympic2020tickets[.]com

The code of a malicious HTML file recently uploaded to the VirusTotal platform, contained a link to the olympic2020tickets[.]com domain. This domain does not appear in the official website of the Tokyo 2020 Olympics as an official and authorized reseller. The website offers users to buy or sell tickets to the 2020 Tokyo Olympics. The website also displays the logos of some of the Olympics’ official sponsors, such as Toyota, Panasonic, Visa, Alibaba Group, and more. The use of the logos of the sponsors can increase the credibility of the website in the eyes of visitors, and trick them into thinking the website is a legitimate and official ticket reseller for the Games.

olympic2020tickets-1

olympic2020tickets[.]com

Using an HTML interpreter, we discovered that the above-mentioned malicious file uploaded to VirusTotal, contains the HTML code of the main page of olympic2020tickets[.]com. In addition, the olympic2020tickets[.]com domain itself is identified as malicious by three different anti-virus engines. Our technical analysis of the website’s code did not reveal any use of a malicious JavaScript. The website provides the following phone number for contact: +4402074425560. We identified two additional similar domains, eurosportstickets[.]com and ticketsmarketplace.co[.]uk, which provide the same phone number for contact, and are also dedicated to selling tickets to various sports events and games. As can be seen in the screenshots below, the three domains resemble each other in their structure and design. In addition, eurosportstickets[.]com is identified as a phishing website by two anti-virus engines.

eurosportstickets-1-1024x524

eurosportstickets[.]com

ticketsmarketplace-1

ticketsmarketplace[.]co.uk

None of the Whois details of the three domains, reveal the identity of the registrant. However, we noticed that two of the domains, olympic2020tickets[.]com and ticketsmarketplace[.]co.uk, are hosted on the same IP address, 77.72.1.20, while eurosportstickets[.]com is hosted on the approximate 77.72.1.21 IP address.

Using the graph function of VirusTotal, we managed to establish connections between the three domains and the IP addresses they are hosted on, as can be seen below. The graph also shows how this infrastructure is related to malicious activity, and how both IP addresses are used for downloading malware, such as the Tofsee backdoor, the Artemis malware or the QRat.

mapping-1024x711

Connections Between the Domains and Their Surrounding Malicious Infrastructure

 

The Awakening of PoS Malware (or, Has It Really Been Dormant?)

The peak of activity of Point-of-Sale (PoS) malware was in late 2013 (with the disclosure of the notorious Target breach), and over the course of 2014, when we witnessed the development and trade of new PoS malware strains. The vigorous discussions on hacking communities at the time, has led hackers to believe PoS malware would ensure them an easy profit. However, as time passed, Continue reading “The Awakening of PoS Malware (or, Has It Really Been Dormant?)”

What will The Dark Overlord Do Next – a CTI Assessment

On December 31, 2018, a cybercrime group going by the handle The Dark Overlord (hereafter TDO) claimed he had hacked an unnamed company, and exfiltrated a large volume of sensitive documents related to the 9/11 terror attacks-related lawsuits. TDOaims to extort the impacted organizations into paying a Bitcoin ransom and he already published batches of the leakage after creating a public auction system, where anyone can contribute Bitcoins to unlock new documents. Continue reading “What will The Dark Overlord Do Next – a CTI Assessment”

Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools

The CVE-2018-8174 vulnerability, also dubbed “Double Kill,” was discovered in the beginning of May 2018, when it was exploited as a 0-day in an APT attack leveraging malicious Office files in China. The vulnerability affects users with Internet Explorer installed, either after they browse the web or after they open crafted Office documents – even if the default browser on the victim’s machine is not set to IE. Moreover, it will also affect IE11, even though VBScript is no longer supported by using the compatibility tag for IE10. Microsoft patched the vulnerability on May 8, 2018. Continue reading “Cybercriminals Integrate Exploit for CVE-2018-8174 into Numerous Attack Tools”

Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers

Insiders pose the most substantial threat to organizations everywhere, a recent across-the-board study conducted by IBM demonstrates. Although in the majority of the cases, the insider is an employee of the company, he could also be a third party, such as an external contractor, a consultant or a business partner. An insider generally has all the Continue reading “Insider Threats – Sometimes it is your Colleagues, and not Remote Attackers”

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

The Healthcare Sector is Targeted by Cybercriminals More than Ever

The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.

1
Top 10 Sub-Sectors Breached by Number of Incidents According to Symantec ISTR report

Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.

Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.

The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.

While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.

The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.

Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.

The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.

2
An excerpt of the sale thread posted on a Darknet forum

 

3
Screenshot allegedly taken on the hacked workstation

Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.

4
One of the sales posts on a Darknet marketplace
5
Screenshot posted by the seller as a proof of hacking into a medical organization

Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.

The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:

  1. Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
  2. Deploy suitable security systems.
  3. Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
  4. Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
  5. Keep all software updated.

ORX-Locker – A Darknet Ransomware That Even Your Grandmother Can Use

Written by Ran L. and Mickael S.

The bar for becoming a cyber-criminal has never been so low. Whether buying off-the-shelf malware or writing your own, with a small investment, anyone can make a profit. Now it seems that the bar has been lowered even further with the creation of a new Darknet site that offers Ransomware-as-a-Service (RaaS), titled ORX-Locker.

Ransomware-as-a-Service enables a user with no knowledge or cash to create his own stubs and use them to infect systems. If the victim decides to pay, the ransom goes to the service provider, who takes a percent of the payment and forwards the rest to the user. For cyber-criminals, this is a win-win situation. The user who cannot afford to buy the ransomware or does not have the requisite knowledge can acquire it for free, and the creator gets his ransomware spread without any effort from his side.

This is not the first time we have seen this kind of service. McAfee previously (May, 2015) reported on Tox. While Tox was the first ransomware-as-a-service, it seems that ORX has taken the idea one step further, with AV evasion methods and complex communication techniques, and apparently also using universities and other platforms as its infrastructure.

In the “August 2015 IBM Security IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” published on Monday (August 24, 2015), IBM mentioned TOX while predicting: “This simplicity may spread rapidly to more sophisticated but less common ransomware attack paradigms and lead to off-the-shelf offerings in the cloud.” Just one day later, a post was published on a closed Darknet forum regarding the new ORX-Locker service.

ORX – First Appearance

On August 25, 2015, a user dubbed orxteam published a post regarding the new ransomware service. The message, which was part of his introduction post – a mandatory post every new user has to make to be accepted to the forum – described the new ORX-Locker ransomware as a service platform. In the introduction, the user presented himself as Team ORX, a group that provides private locker software (their name for ransomware) and also ransomware-as-a-service platform.

ORX team introduction post in a closed Darknet hacking forum.
ORX Team introduction post in a closed Darknet hacking forum.

ORX Locker Online Platform

Team ORX has built a Darknet website dedicated to the new public service. To enter the site, new users just need to register. No email or other identification details are required. Upon registration, users have the option to enter a referral username, which will earn them three percent from every payment made to the new user. After logging in, the user can move between five sections:

Home – the welcome screen where you users can see statistics on how much system has been locked by their ransom, how many victims decided to pay, how much they earned and their current balance.

Build EXE – Team ORX has made the process of creating a stub so simple that the only thing a user needs to do is to enter an ID number for his stub (5 digits max) and the ransom price (ORX put a minimum of $75). After that, the user clicks on the Build EXE button and the stub is created and presented in a table with all other stubs previously created by the user.

ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.
ORX-Locker Darknet platform, which enables every registered user to build his own ransomware stub.

Stats – This section presents the user with information on systems infected with his stub, including the system OS, how many files have been encrypted, time and date of infection, how much profit has been generated by each system, etc.

Wallet – following a successful infection, the user can withdraw his earnings and transfer them to a Bitcoin address of his choosing.

Support – This section provides general information on the service, including more information on how to build the stub and a mail address (orxsupport@safe-mail[.]net) that users can contact if they require support.

Ransomware

When a user downloads the created stub, he gets a zip file containing the stub, in the form of an “.exe” file. Both the zip and the stub names consist of a random string, 20-characters long. Each file has a different name.

Once executed, the ransomware starts communicating with various IP addresses. The following is a sample from our analysis:

  1. 130[.]75[.]81[.]251 – Leibniz University of Hanover
  2. 130[.]149[.]200[.]12 – Technical University of Berlin
  3. 171[.]25[.]193[.]9 – DFRI (Swedish non-profit and non-party organization working for digital rights)
  4. 199[.]254[.]238[.]52 – Riseup (Riseup provides online communication tools for people and groups working on liberatory social change)

As you can see, some of the addresses are related to universities and others to organizations with various agendas.

Upon activation, the ransomware connects to the official TOR project website and downloads the TOR client. The malware then transmits data over this channel. Using hidden services for communication is a trend that has been adopted by most known ransomware tools in the last year, as was the case of Cryptowall 3.0. In our analysis, the communication was over the standard 9050 port and over 49201.

The final piece would be the encryption of files on the victim’s machine. Unlike other, more “target oriented” ransomware, this particular one locks all files, changing the file ending to .LOCKED and deletes the originals.

When the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted, and a payment instruction file will be created on the desktop.

After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted
After the ransomware finishes encrypting the files, a message will popup announcing that all the files were encrypted

In the payment instruction file (.html), the victim receives a unique payment ID and a link to the payment website, located on the onion network (rkcgwcsfwhvuvgli[.]onion). After entering the site using the payment ID, the victim receives another set of instructions in order to complete the payment.

ORX-Locker payment platform which has a dedicated site located on the onion network.
ORX-Locker payment platform, which has a dedicated site located on the onion network.

Finally, although some basic persistence and anti-AV mechanisms are present, the malware still has room to “grow.” We are certain that as its popularity grows, more developments and enhancements will follow.

YARA rule:

rule ORXLocker
{
meta:
author = “SenseCy”
date = “30/08/15”
description = “ORXLocker_yara_rule”

strings:
$string0 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 34 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 64 2e 25 64 2e 25 64 2e 25 64 3a 25 64 2e 20 28 25 64 29 2c 20 72 65 71 75 65 73 74 20 72 65 6a 65 63 74 65 64 20 62 65 63 61 75 73 65 20 74 68 65 20 63 6c 69 65 6e 74 20 70 72 6f 67 72 61 6d 20 61 6e 64 20 69 64 65 6e 74 64 20 72 65 70 6f 72 74 20 64 69 66 66 65 72 65 6e 74 20 75 73 65 72 2d 69 64 73 2e}
$string1 = {43 61 6e 27 74 20 63 6f 6d 70 6c 65 74 65 20 53 4f 43 4b 53 35 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 6f 20 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 30 32 78 25 30 32 78 3a 25 64 2e 20 28 25 64 29}
$string2 = {53 4f 43 4b 53 35 3a 20 73 65 72 76 65 72 20 72 65 73 6f 6c 76 69 6e 67 20 64 69 73 61 62 6c 65 64 20 66 6f 72 20 68 6f 73 74 6e 61 6d 65 73 20 6f 66 20 6c 65 6e 67 74 68 20 3e 20 32 35 35 20 5b 61 63 74 75 61 6c 20 6c 65 6e 3d 25 7a 75 5d}
$string3 = {50 72 6f 78 79 20 43 4f 4e 4e 45 43 54 20 66 6f 6c 6c 6f 77 65 64 20 62 79 20 25 7a 64 20 62 79 74 65 73 20 6f 66 20 6f 70 61 71 75 65 20 64 61 74 61 2e 20 44 61 74 61 20 69 67 6e 6f 72 65 64 20 28 6b 6e 6f 77 6e 20 62 75 67 20 23 33 39 29}
$string4 = {3c 61 20 68 72 65 66 3d 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3e 68 74 74 70 73 3a 2f 2f 72 6b 63 67 77 63 73 66 77 68 76 75 76 67 6c 69 2e 74 6f 72 32 77 65 62 2e 6f 72 67 3c 2f 61 3e 3c 62 72 3e}
$string5 = {43 3a 5c 44 65 76 5c 46 69 6e 61 6c 5c 52 65 6c 65 61 73 65 5c 6d 61 69 6e 2e 70 64 62}
$string6 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 6f 66 73 74 72 65 61 6d 40 44 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 44 40 73 74 64 40 40 40 73 74 64 40 40}
$string7 = {2e 3f 41 56 3f 24 62 61 73 69 63 5f 69 6f 73 40 5f 57 55 3f 24 63 68 61 72 5f 74 72 61 69 74 73 40 5f 57 40 73 74 64 40 40 40 73 74 64 40 40}
$string8 = “ttp://4rhfxsrzmzilheyj.onion/get.php?a=” wide
$string9 = “\\Payment-Instructions.htm” wide

condition:
all of them
}

The Latest Trends in the Russian Underground – H1 2015 Summary

It is summer in Russia, and the time of the year when people head to the seaside on vacation for a couple of weeks’ break. The decline in activity can be clearly seen on the Russian-speaking forums and marketplaces dealing with cybercrime. Apparently, cybercriminals also take a rest from their online activities, just as they would from a regular full-time job. For us, it is the best time to perform a deep analysis of the main trends in the Russian underground boards during the first half of 2015. When preparing the insights from this analysis, our goal was to identify the main scope of interest on closed, Russian-speaking forums these days, as well as to pinpoint the shifts that have occurred in the last six months.

In order to draw conclusions, we analyzed the threads from the last six months from the four leading Russian forums. These forums mainly serve as a marketplace for attack tools and platforms, in addition to being a source of information and consultation for the forum members. Hereinafter, we tried to summarize the main topics of conversation on Russian marketplaces dedicated to cybercrime during the past six months:

Exploit Kits: In recent months, we have witnessed numerous attacks involving EK as the intrusion vector, including Angler, Neutrino, Nuclear, Magnitude and RIG. These EKs are constantly updated with new exploits.

While some EKs are offered for sale on trading boards, others are available exclusively to selected buyers via private sales, using the Jabber instant messaging system for example. For one case in point, RIG EK 3.0 is offered for a monthly rental fee of $700 on a closed Russian forum (this is considered an extremely low price). In comparison, Angler EK, AKA XXX is not advertised at all among Russian forum members on any of the closed forums.

RIG EK Statistics – screenshots published by the developer of the EK
RIG EK Statistics – screenshots published by the developer of the EK

Banking Trojans: During the last few months, we did not spot any new banking Trojans for sale on the Russian underground. The majority of recent attacks against the financial industry clients were perpetrated using DYRE or Dridex banking Trojans. Even though there is evidence that both were developed by Russian coders and are distributed among Russian-speaking criminals, we did not witness any commercial trading of these Trojans.

The two Trojans currently selling on Russian forums are Kronos, whose sales started back in the middle of 2014, and the new version of Tinba, which is based on source code leaked in the 2014 version.

Tinba banking Trojan offered for rent
Tinba banking Trojan offered for rent

Ransomware: Despite the fact that new campaigns distributing ransomware are uncovered on a regular basis, culminating in an FBI alert at the beginning of 2015, we did not see an elevated interest in this kind of malware on the Russian forums. The sales of CTB-Locker were ceased, at least publicly, probably because of the extensive media coverage. None of the ransomware tools that are widely used in the wild (TorrentLocker, Tesla Crypt, Cryptowall), are offered for sale on Russian marketplaces. The only two new ransomware tools offered during H1 2015 were GM Cryptolocker for Android-based devices and Azazel locker, for just $200. Both are relatively new and there has been no comprehensive feedback from buyers as yet.

The interface of GM Cryptolocker – ransomware for mobile platforms
The interface of GM Cryptolocker – ransomware for mobile platforms

RAT malware based on legitimate software – a clear new trend on the Russian underground is the development of malicious tools based on the source code of legitimate software for remote access (such as TeamViewer, AmmyAdmin, etc.). These tools are disguised as an update for the software or as a setup file. Additional tools traded on the forums exploit services and programs for remote control, such as RDS (Remote Desktop Services, RMS (Remote Manipulator System) and RDP (Remote Desktop Protocol).

To date, we have identified five different malicious tools of this kind for sale during the last six months. According to the sellers’ description, they are capable of bypassing defense mechanisms installed on the machine and gaining full access to it.

Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.
Screenshot from a video uploaded by the seller of TVSpy, a RAT based on TeamViewer software. The video presents the malware in action.

Loaders and Droppers – In recent months, we have identified a rise in this type of malware for sale on Russian underground forums. Generally, they it is spread via spam emails, and once installed on the system, serves as a tunnel for later installations of malicious programs. In this manner, defense mechanisms can be bypassed. One instance involving this malware was the infamous Andromeda, sold since 2011 to date for only $500. Andromeda was employed by the Carbanak group against financial targets. Aside from Andromeda, we also identified six new loaders and droppers offered for sale during the past six months.

Digital Certificates Trade – This phenomenon started as a sporadic sales thread, appearing occasionally on several forums during the last year. As demand expanded, trade in digital certificates evolved into a successful sub-category on Russian underground marketplaces. Recently, a dedicated online shop for trade in digital certificates was launched. The average price for one certificate is about 1.4 BTC.

The vigorous trade in these certificates demonstrates that they are quite useful for the purchasers, who use them to sign the malicious code they distribute and evade detection.

For obvious reasons, the sellers do not disclose the origin of the certificates, but claim they are authentic and were issued by a Certificate Authority (CA).

An online shop for digital certificates trade
An online shop for digital certificates trade

Brazilian Trojans Poised to Spread around the World

When we talk about Brazil, we no longer think only Carnival and caipiriña, or the favelas (slums) that came into being as a result of the highly unequal distribution of income. Bearing in mind that Brazil is one of the largest countries in the world, a major new concern has arisen as the Internet and technological devices are being used to find fast ways to earn money.

In 2014, Brazil was listed as the country with the most number of attacked users. Kaspersky identified over 90,000 attacks in Brazil, with Russia in second place.

Brzail_number_of_attacksCybercrime has combined the creativity of Brazilian hackers with new forms of illegal activities, specifically online bank fraud, turning the country into a producer of Trojan malware. The increased variety of Trojans produced in Brazil is becoming a trend. Hackers are spreading their tools via hacking communities, by selling or simply sharing tools, tutorials and tips for using Trojans as a means to intercept information on users and their banks. They use social network platforms, personal blogs or “security information web sites,” IRC channels and the forums on the deep web where “laranjas” (oranges in Portuguese, used to denominate a tool/card trader) do business to sell the malware or the stolen data.

A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil
A hacker asks for help in generating Boletos, a payment method consisting with bank tickets, commonly used in Brazil

While hackers from other countries use malware tools such as Zeus, the uniqueness of the Brazilian hackers is that they develop specific, personalized codes targeting banking frauds. They also find creative ways to use software to access their targets, with the aim of stealing bank accounts. CPL is one of these innovations – a legitimate Windows Control Panel file is being used by cybercriminals to spread banking Trojans targeting Brazilian users.

Cybercriminals send fake emails, using social engineering techniques designed to mislead users. Usually, the email content is a document with a quotation, invoice or receipt, information on a debt or a banking situation, or digital payment instruments used in Brazil, such as Boleto bancário or Electronic tax note, file photographs, videos or similar.

An example for the use of the CPL malware in a phishing email
An example for the use of the CPL malware in a phishing email

The fact that Brazil has the highest percentage of online banking users has also contributed to the development of different personalized attacks. As a result, banking Trojans have become the number one threat in Brazilian cybercrime. As previously demonstrated in the Brazilian malware arena, some code writers spread their viruses around the world. The security sector, in this case the banking sector, must be aware of the possible dangers and increase their efforts to protect their clients.