One of the largest banking botnets has been disabled
June 22, 2012
MOSCOW — Group-IB is announcing it has provided assistance and expert support to the Department K of the Ministry of the Interior (MVD) of Russia and the Center for Information Security of the Federal Security Service (FSB) of Russia during the actions against the organizer of a criminal group, which had been under an extensive investigation, resulting in his arrest by the MVD’s Department K.
Department K agents, along with the Center for Information Security and the Department of Internal Affairs for the Southern Administrative District of Moscow, raided the hacker’s place of residence and seized computer hardware, digital media, and documents evidencing his involvement in criminal activity. His group had been engaged in theft of online banking funds for over three years. Group-IB experts detected one of the largest botnets employed by the perpetrators, which was built on the Carberp malware. Particularly, this version of the malware made it possible to steal so-called vouchers from foreign Facebook users.
This criminal group was formed in 2009 by an individual known by his online nicknames Germes and Arashi. Using the Hodprot malware, the organizer created a multimillion banking botnet, which became known in hacker circles as Origami. It existed until the middle of 2011, when it evolved into another, more sophisticated botnet, built on the Carberp malware.
Origami’s control panel is shown below:
The perpetrators were the first to use the RDPdoor malware as auxiliary means of conducting theft of funds directly via the computers of banking clients. Its control panel was created by Germes himself, and it is shown below:
Germes called upon a lot of people to work on this botnet, which became similar to running an affiliate program. During its existence, the criminal group’s membership comprised as many as 25 people, not including those cashing the stolen funds. The participants constantly changed.
The perpetrators were the first to use the version of Carberp with a bootkit, which made this malware practically immune to anti-virus tools. In May 2012, a test server with this version of Carberp comprised 1.2 million computers.
In 2012, to increase the number of infected computers, the perpetrators switched from BlackHole exploits to Nuclear Pack. Whereas in October 2011 the botnet’s main control server had approximately 700,000 infected computers, this number doubled in less than two months, and in May 2012 stood at 6 million. At the same time, the number of active infected computers was approximately 70,000.
Group-IB experts estimate that these cybercriminals have made over 150 million rubles (approximately $4.5 million), but the actual amount of stolen funds may be tenfold. The victims were clients of both Russian and foreign banks. To facilitate interaction with various types of international financial systems, the perpetrators used different botnet control servers.
“As this criminal group grew, its organizer began to carry out coordination functions, greatly complicating the process of gathering evidence against him,” said Ilya Sachkov, CEO of Group-IB. “Group-IB took part in investigative actions against this group, and conducted forensics of computers of the affected individuals and companies.”
Group-IB is the first company in Russia and the former Soviet Union working professionally and comprehensively in cybercrime investigation, information security breaches, and computer forensics. As part of the company, a computer forensics lab provides independent computer forensic investigations, including for Russian law enforcement agencies. Created on the basis of Group-IB, the CERT-GIB computer emergency response team operates around the clock. Group-IB is part of LETA Group.
For additional information contact Irina Zubareva, Group-IB’s PR Manager, at +7 (910) 468-58-72, or firstname.lastname@example.org.