manu quintans & frank ruiz – 50 shades of crimeware [rooted con 2014]

1Rooted CON 2014 6-7-8 Marzo // 6-7-8 March

50 Shades of Crimeware

Manu Quintans – Frank Ruiz

WHO WE ARE?

Manu Quintans - Threat Intelligence Manager at Buguroo / Deloitte

Frank Ruiz - Intelligence Analyst at Fox IT

And…yes!, we hunt malware like a sir.

INDEXWhat we know about Cyber-Crime ?

It’s Time Back to reality.

Understand Cyber-Crime activities.

Previously on … 2013

Reality bites

Cyber-Crime Evolutions – 2013-2014

New trends at Cyber-Crime

Examples (We have a Target… )

Infrastructure

Demo Time (Yeah! We have a demo, please release your smartphone and enjoy…)

What we know about Cyber-Crime ?

Brian Krebs Post Life Cycle

WE NEED DIAGRAM.

The UndercoatJust for Kiddies

HackForums

Exploit.IN Antichat.RU

Damagelabs

DarkCode

Indetectables

Understand Cyber-Crime activities.THE UNDERCOAT

The LimboPSEUDO-PRO

CPRO.SU

Pustota

Verified.msx

Infraud.su

Heaven’s doorGang’stah!-PRO

yMaza (M

azafucka

)Korovka

Private

семьяZeusP2P

CryptoLocker

Sinowallx

VIDEO HISTORY

The UndercoatJust for Kiddies

HackForums

Exploit.IN Antichat.RU

Damagelabs

DarkCode

Indetectables

The LimboPSEUDO-PRO

CPRO.SU

Pustota

Verified.msx

Infraud.su

Heaven’s doorGang’stah!-PRO

(Mazaf

ucka) Korovka

Private

семьяZeusP2P

CryptoLocker

Sinowall

First year, without new Banking Trojans. (Except’s KINS aka Kasper)

Symlink Arrested (January)

Paunch Arrested (BlackHole Exploit Kit) (OCTOBER)

FBI shut down SilkRoad and they arrest Ross Willian Ulbrich. (OCTOBER)

Target Breach. :-) – (NOVEMBER/DECEMBER)

FBI With Spanish Police Cooperation take’s down Liberty Reserver and arrest CEO.– (MAY 2013)

Previously on … 2013 / 2014

Has been a special year in the evolution of the industry of cybercrime:

The feeling of impunity begins to disappear.

Groups midlevel begin to close and professionalize their assets.

Ironically, the vetted gang’s start to show some gaps.

These changes are due to:

Detentions.

Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n stars)

Insider Researchers.

Leaks (Pasties, services…)

Conclusions:

The “industry” of Cyber-Crime, now are more than closed than ever.

We found new trends at Cyber-Crime Industry, like… :POS MALWARE (POINT OF SALES) SYSEM

NEW MOBILE MALWARE (EG: TOR BASED)

CRYPTOCURRENCIES

POS (POINT OF SALE), but why?

The lack of a Banking Trojan for sale and the large increase in demand for cards has moved many players in this business.Citadel users move there business to this new system.

Grows offer POS malware sales.

POS (POINT OF SALE), What We found on underground Market?

Alina Malware

The beauty, the Bad and the Ugly

Dexter Malware

BlackPos Malware

New trends at Cyber-CrimePOS (POINT OF SALE), and services? Of course!

JackPos

New trends at Cyber-Crime Mobile Malware

Increase of injections with support for mobile malware.

Mobile malware for sale:

iBanking (as Service).

Perkele

Uses new resources like TOR.

IBanking

Perkele

New trends at Cyber-Crime CryptoCurrencies

TOTAL HASH RATE

24H HASH RATE

Let’s see some real examples about new trends.

Example

ExampleTimeline:

Brian Krebs18/Dec/2013: Sources: Target Investigating Data Breach20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets22/Dec/2013: Non-US Cards Used At Target Fetch Premium24/Dec/2013: Who’s Selling Credit Cards from Target?10/Jan/2014: Target: Names, Emails, Phone Numbers on Up To 70 Million Customers Stolen15/Jan/2014: A First Look at the Target Intrusion, Malware16/Jan/2014: A Closer Look at the Target Malware, Part II29/Jan/2014: New Clues in the Target Breach04/Feb/2014: These Guys Battled BlackPOS at a Retailer05/Feb/2014: Target Hackers Broke in Via HVAC Company12/Feb/2014: Email Attack on Vendor Set Up Breach at Target19/Feb/2014: Fire Sale on Cards Stolen in Target Breach25/Feb/2014: Card Backlog Extends Pain from Target Breach

Example

Intelligence

Cyber-Criminals Infrastructure

Infrastructure

BOTNETINTERNET

Simple

InfrastructureProxy

BOTNETINTERNET

VICTIMS

InfrastructureDuble Proxy

BOTNETINTERNET

VICTIMS

PROXY - 1

PROXY - 2

InfrastructureFastflux + C&C

FAST FLUXBOTNETFASTFLUX

VICTIM

HTTP GET

RESPONSECONTENT

GET REDIRECT

RESPONSECONTENT

InfrastructureFastflux + PROXY + C&C

FAST FLUXBOTNETFASTFLUX

VICTIM

HTTP GET

RESPONSECONTENT

GET REDIRECT

RESPONSECONTENT

InfrastructureBP HOSTERS

BP HOSTERINTERNET

VICTIMS

Backend Server

InfrastructureOWN Infrastructures

INTERNET

IPIP Tunel

OpenVPN Server

VPN Client

Backend Server

VICTIMS

InfrastructureP2P

INTERNET

P2P Network

Web Panel

Backup Server

VICTIMS

InfrastructureTOR

INTERNET

Web Panel

TOR NetworkVICTIMS

manu quintans & frank ruiz – 50 shades of crimeware [rooted con 2014]

Technology

sameer ratolikar - crimeware attacks & defenses - interop...

rooted in jesus

rooted 2011 nosql security

trending the crimeware ecosystem - countermeasure ›...

50 shades of crimeware · 2020. 1. 17. · 50 shades of...

rooted succulents - gasa

rooted in partnerships

teodor cimpoesu - crimeware& botnets - the international...

rooted in hrist

cybersecurity summer bootcamp 2019 agenda detallada€¦ ·...

rooted in god’s love

scared of scareware and crimeware don’t panic try...

the new reality of stealth crimeware - intelthe new reality...

inside a crimeware networkjr04-2010 koobface: inside a...

crimeware fingerprinting final

polymorphism in crimeware - black hat briefings

cuttings rooted in water

january-july 2018 crimeware trends: a sampling of

inside a crimeware network - nart v

rooted in knowledge