Cybercrime Gang Recruiting Botmasters for Large-Scale MiTM Attacks on American Banks

2012-10-04T16:15:30
ID THREATPOST:BF082EADC52F7AC9685188178007F9ED
Type threatpost
Reporter Michael Mimoso
Modified 2013-04-17T16:31:26

Description

A slew of major American banks, some already stressed by a stream of DDoS attacks carried out over the past 10 days, may soon have to brace themselves for a large-scale coordinated attack bent on pulling off fraudulent wire transfers.

RSA’s FraudAction research team has been monitoring underground chatter and has put together various clues to deduce that a cybercrime gang is actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the proprietary Gozi Trojan.

This is the first time a private cybercrime organization has recruited outsiders to participate in a financially motivated attack, said Mor Ahuvia, cybercrime communications specialist for RSA FraudAction. The attackers are promising their recruits a cut of the profits, and are requiring an initial investment in hardware and training in how to deploy the Gozi Prinimalka Trojan, Ahuvia added. Also, the gang will only share executable files with their partners, and will not give up the Trojan’s compilers, keeping the recruits dependent on the gang for updates

Generally, cybercrime gangs deploy as few as five individual botmasters to help in successful campaigns; with this kind of scale, banks could be facing up 30 times the number of compromised machines and fraudulent transfers, if the campaign is successful.

“This Trojan is not well known. This is not SpyEye or Citadel; it’s not available for everyone to buy,” Ahuvia said. “Security vendors and antivirus signatures are less likely to catch it or be familiar with it. It will be tricky for vendors to detect and block it. This gang is keeping a tight hold on the compiler. By only giving up executable files, they can control how any antivirus signatures are in the wild and keep unique signatures to a minimum.”

As many as 30 banks have been targeted, many of them well known and high profile, Ahuvia said. RSA said the gang is targeting American banks because of past success in beating their defenses, as well as a lack of two-factor authentication required for wire transfers.Some European banks, for example, require consumers to use two-factor authentication. She added that RSA FraudAction was unsure how far along the recruitment campaign had gone, or when the attacks would launch.

“There is the chance that once we’ve gone public, they may abandon their plans because there’s too much buzz around it,” Ahuvia said. “On the other hand, I don’t think anything we know will have such a dramatic effect on them. There are so many Trojans available and so many points of failure in security that could go wrong, that they’d still have some chance of success.”

RSA’s researchers were able to make the connection to the Gozi Prinimalka Trojan, which has been in circulation since 2008 and responsible for $5 million in fraud-related losses. Prinimalka is similar to the Gozi Trojan in technical and operational aspects, RSA said, leading to speculation the HangUp Team, which was tied to previous Gozi attacks, is behind this attack as well. Prinimalka is Russian for the word “receive” and is a folder name in every URL patch given by this particular gang to its crimeware servers.

Prinimalka uses the same bot-to-server communication pattern and URL trigger list as Gozi, RSA said. But deployment of the two Trojans is different: Gozi writes a single DLL file to bots upon deployment, while Prinimalka writes two, an executable file and a DAT file which reports to the command and control server.

Once the Trojan is launched, the botmaster fires up a virtual machine synching module. The module then duplicates the victim’s computer, including identifiable features such as time zone, screen resolution, cookies, browser type and version, and software identification, RSA said. This allows the botmaster to impersonate the victim’s machine and access their accounts. Access is carried out over a SOCKS proxy connection installed on the victim’s machine, RSA said.

The cloned virtual system then can move about on the genuine IP address of the compromised machine when accessing the bank website. Taking it a step further, the attackers deploy VoIP phone flooding software that will prevent the victim from receiving a confirmation call or text alerting them to unusual transfer activity, RSA said.

“They are looking for this to be a quick campaign,” Ahuvia said. “They want to make as much as they can until the banks and users harden their systems. They want to cash out quickly.”