1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
50 Shades of Crimeware
Manu Quintans – Frank Ruiz
2Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
WHO WE ARE?
Manu Quintans - Threat Intelligence Manager at Buguroo / Deloitte
Frank Ruiz - Intelligence Analyst at Fox IT
And…yes!, we hunt malware like a sir.
3Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
INDEXWhat we know about Cyber-Crime ?
It’s Time Back to reality.
Understand Cyber-Crime activities.
Previously on … 2013
Reality bites
Cyber-Crime Evolutions – 2013-2014
New trends at Cyber-Crime
Examples (We have a Target… )
Infrastructure
Demo Time (Yeah! We have a demo, please release your smartphone and enjoy…)
4Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
5Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
6Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
7Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
8Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
9Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
Brian Krebs Post Life Cycle
WE NEED DIAGRAM.
10Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
11Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
12Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
13Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
14Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
15Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The UndercoatJust for Kiddies
HackForums
Exploit.IN Antichat.RU
Damagelabs
DarkCode
Indetectables
LAYE
R #1
16Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.THE UNDERCOAT
17Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.THE UNDERCOAT
18Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.THE UNDERCOAT
19Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.THE UNDERCOAT
20Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The LimboPSEUDO-PRO
CPRO.SU
Pustota
Verified.msx
x
Infraud.su
LAYE
R #2
21Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
22Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
23Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
LAYE
R #3
Heaven’s doorGang’stah!-PRO
TopSe
curit
yMaza (M
azafucka
)Korovka
Comm
uizm
24Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
25Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
26Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
LAYE
R #4
Private
семьяZeusP2P
CryptoLocker
Sinowallx
Gozi
27Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
VIDEO HISTORY
28Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The UndercoatJust for Kiddies
HackForums
Exploit.IN Antichat.RU
Damagelabs
DarkCode
Indetectables
The LimboPSEUDO-PRO
CPRO.SU
Pustota
Verified.msx
Infraud.su
x
Heaven’s doorGang’stah!-PRO
TopSe
curit
y
Maza
(Mazaf
ucka) Korovka
Comm
uizm
Private
семьяZeusP2P
CryptoLocker
Sinowall
x
Gozi
29Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013
30Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013
First year, without new Banking Trojans. (Except’s KINS aka Kasper)
Symlink Arrested (January)
Paunch Arrested (BlackHole Exploit Kit) (OCTOBER)
FBI shut down SilkRoad and they arrest Ross Willian Ulbrich. (OCTOBER)
Target Breach. :-) – (NOVEMBER/DECEMBER)
FBI With Spanish Police Cooperation take’s down Liberty Reserver and arrest CEO.– (MAY 2013)
31Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
Has been a special year in the evolution of the industry of cybercrime:
The feeling of impunity begins to disappear.
Groups midlevel begin to close and professionalize their assets.
Ironically, the vetted gang’s start to show some gaps.
32Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
These changes are due to:
Detentions.
Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n stars)
Insider Researchers.
Leaks (Pasties, services…)
33Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
Conclusions:
The “industry” of Cyber-Crime, now are more than closed than ever.
34Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
35Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
We found new trends at Cyber-Crime Industry, like… :POS MALWARE (POINT OF SALES) SYSEM
NEW MOBILE MALWARE (EG: TOR BASED)
CRYPTOCURRENCIES
36Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
POS (POINT OF SALE), but why?
The lack of a Banking Trojan for sale and the large increase in demand for cards has moved many players in this business.Citadel users move there business to this new system.
Grows offer POS malware sales.
37Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
POS (POINT OF SALE), What We found on underground Market?
Alina Malware
The beauty, the Bad and the Ugly
Dexter Malware
BlackPos Malware
38Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-CrimePOS (POINT OF SALE), and services? Of course!
JackPos
39Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime Mobile Malware
Increase of injections with support for mobile malware.
Mobile malware for sale:
iBanking (as Service).
Perkele
Uses new resources like TOR.
40Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime Mobile Malware
IBanking
41Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime Mobile Malware
Perkele
42Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime CryptoCurrencies
43Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime CryptoCurrencies
44Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime CryptoCurrencies
45Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime CryptoCurrencies
TOTAL HASH RATE
24H HASH RATE
46Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Let’s see some real examples about new trends.
47Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Example
48Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
ExampleTimeline:
Brian Krebs18/Dec/2013: Sources: Target Investigating Data Breach20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets22/Dec/2013: Non-US Cards Used At Target Fetch Premium24/Dec/2013: Who’s Selling Credit Cards from Target?10/Jan/2014: Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen15/Jan/2014: A First Look at the Target Intrusion, Malware16/Jan/2014: A Closer Look at the Target Malware, Part II29/Jan/2014: New Clues in the Target Breach04/Feb/2014: These Guys Battled BlackPOS at a Retailer05/Feb/2014: Target Hackers Broke in Via HVAC Company12/Feb/2014: Email Attack on Vendor Set Up Breach at Target19/Feb/2014: Fire Sale on Cards Stolen in Target Breach25/Feb/2014: Card Backlog Extends Pain from Target Breach
49Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Example
50Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Example
51Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Intelligence
52Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Intelligence
53Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Intelligence
54Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Cyber-Criminals Infrastructure
55Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
BOTNETINTERNET
Simple
56Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureProxy
BOTNETINTERNET
VICTIMS
PROXY
57Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureDuble Proxy
BOTNETINTERNET
VICTIMS
PROXY - 1
PROXY - 2
58Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureFastflux + C&C
FAST FLUXBOTNETFASTFLUX
VICTIM
HTTP GET
RESPONSECONTENT
GET REDIRECT
RESPONSECONTENT
59Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureFastflux + PROXY + C&C
FAST FLUXBOTNETFASTFLUX
VICTIM
HTTP GET
RESPONSECONTENT
GET REDIRECT
RESPONSECONTENT
60Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureBP HOSTERS
BP HOSTERINTERNET
VICTIMS
Backend Server
61Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureOWN Infrastructures
INTERNET
IPIP Tunel
OpenVPN Server
VPN Client
Backend Server
Backend Server
Backend Server
Backend Server
Backend Server
VICTIMS
62Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureP2P
INTERNET
P2P Network
Web Panel
Backup Server
VICTIMS
63Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
InfrastructureTOR
INTERNET
Web Panel
TOR NetworkVICTIMS
64Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
65Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Top Related