Manu Quintans & Frank Ruiz – 50 shades of crimeware [Rooted CON 2014]
1. 1
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
50 Shades of Crimeware
Manu Quintans – Frank Ruiz
2. 2
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
WHO WE ARE?
Manu Quintans - Threat Intelligence Manager at Buguroo /
Deloitte
Frank Ruiz - Intelligence Analyst at Fox IT
And…yes!, we hunt malware like a sir.
3. 3
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
INDEX
What we know about Cyber-Crime ?
It’s Time Back to reality.
Understand Cyber-Crime activities.
Previously on … 2013
Reality bites
Cyber-Crime Evolutions – 2013-2014
New trends at Cyber-Crime
Examples (We have a Target… )
Infrastructure
Demo Time (Yeah! We have a demo, please release your smartphone and
enjoy…)
4. 4
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
5. 5
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
6. 6
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
7. 7
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
8. 8
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
9. 9
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
What we know about Cyber-Crime ?
Brian Krebs Post Life Cycle
WE NEED DIAGRAM.
10. 10
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
11. 11
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
12. 12
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
13. 13
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
It’s Time Back to reality.
14. 14
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
15. 15
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The Undercoat
Just for Kiddies
HackForums
Exploit.IN Antichat.RU
Damagelabs
DarkCode
Indetectables
LAYER#1
16. 16
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
THE UNDERCOAT
17. 17
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
THE UNDERCOAT
18. 18
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
THE UNDERCOAT
19. 19
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
THE UNDERCOAT
20. 20
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The Limbo
PSEUDO-PRO
CPRO.SU
Pustota
Verified.msx
x
Infraud.su
LAYER#2
21. 21
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
22. 22
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
23. 23
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.LAYER#3
Heaven’s door
Gang’stah!-PRO
24. 24
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
25. 25
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
26. 26
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.LAYER#4
Private
семьяZeusP2P
CryptoLocker
Sinowallx
Gozi
28. 28
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Understand Cyber-Crime activities.
The Undercoat
Just for Kiddies
HackForums
Exploit.IN Antichat.RU
Damagelabs
DarkCode
Indetectables
The Limbo
PSEUDO-PRO
CPRO.SU
Pustota
Verified.msx
Infraud.su
x
Heaven’s door
Gang’stah!-PRO
Private
семья
ZeusP2P
CryptoLocker
Sinowall
x
Gozi
30. 30
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013
First year, without new Banking Trojans. (Except’s KINS aka Kasper)
Symlink Arrested (January)
Paunch Arrested (BlackHole Exploit Kit) (OCTOBER)
FBI shut down SilkRoad and they arrest Ross Willian Ulbrich.
(OCTOBER)
Target Breach. :-) – (NOVEMBER/DECEMBER)
FBI With Spanish Police Cooperation take’s down Liberty
Reserver and arrest CEO.– (MAY 2013)
31. 31
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
Has been a special year in the evolution of the industry
of cybercrime:
The feeling of impunity begins to disappear.
Groups midlevel begin to close and professionalize their
assets.
Ironically, the vetted gang’s start to show some gaps.
32. 32
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
These changes are due to:
Detentions.
Proliferation of bloggers / twitters 'investigating' cybercrime scene. (Pr0n
stars)
Insider Researchers.
Leaks (Pasties, services…)
33. 33
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Previously on … 2013 / 2014
Conclusions:
The “industry” of Cyber-Crime, now are more than
closed than ever.
35. 35
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
We found new trends at Cyber-
Crime Industry, like… :
POS MALWARE (POINT OF SALES) SYSEM
NEW MOBILE MALWARE (EG: TOR BASED)
CRYPTOCURRENCIES
36. 36
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
POS (POINT OF SALE), but why?
The lack of a Banking Trojan for sale
and the large increase in demand for
cards has moved many players in
this business.
Citadel users move there business
to this new system.
Grows offer POS malware sales.
37. 37
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
POS (POINT OF SALE), What We
found on underground Market?
Alina Malware
The beauty, the Bad and the UglyDexter Malware
BlackPos Malware
38. 38
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
POS (POINT OF SALE), and
services? Of course!
JackPos
39. 39
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
Mobile Malware
Increase of injections with support for mobile
malware.
Mobile malware for sale:
iBanking (as Service).
Perkele
Uses new resources like TOR.
40. 40
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
Mobile Malware
IBanking
41. 41
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
Mobile Malware
Perkele
42. 42
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
CryptoCurrencies
43. 43
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
CryptoCurrencies
44. 44
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
CryptoCurrencies
45. 45
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
New trends at Cyber-Crime
CryptoCurrencies
TOTAL HASH RATE
24H HASH RATE
46. 46
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Let’s see some real examples about
new trends.
48. 48
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Example
Timeline:
Brian Krebs
18/Dec/2013: Sources: Target Investigating Data Breach
20/Dec/2013: Cards Stolen in Target Breach Flood Underground Markets
22/Dec/2013: Non-US Cards Used At Target Fetch Premium
24/Dec/2013: Who’s Selling Credit Cards from Target?
10/Jan/2014: Target: Names, Emails, Phone Numbers on Up To 70 Million
Customers Stolen
15/Jan/2014: A First Look at the Target Intrusion, Malware
16/Jan/2014: A Closer Look at the Target Malware, Part II
29/Jan/2014: New Clues in the Target Breach
04/Feb/2014: These Guys Battled BlackPOS at a Retailer
05/Feb/2014: Target Hackers Broke in Via HVAC Company
12/Feb/2014: Email Attack on Vendor Set Up Breach at Target
19/Feb/2014: Fire Sale on Cards Stolen in Target Breach
25/Feb/2014: Card Backlog Extends Pain from Target Breach
54. 54
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Cyber-Criminals Infrastructure
55. 55
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
BOTNETINTERNET
Simple
56. 56
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
Proxy
BOTNETINTERNET
VICTIMS
PROXY
57. 57
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
Duble Proxy
BOTNETINTERNET
VICTIMS
PROXY - 1
PROXY - 2
58. 58
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
Fastflux + C&C
FAST FLUXBOTNET
FASTFLUX
VICTIM
HTTP GET
RESPONSE
CONTENT
GET REDIRECT
RESPONSE
CONTENT
59. 59
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
Fastflux + PROXY + C&C
FAST FLUXBOTNET
FASTFLUX
VICTIM
HTTP GET
RESPONSE
CONTENT
GET REDIRECT
RESPONSE
CONTENT
60. 60
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
BP HOSTERS
BP HOSTERINTERNET
VICTIMS
Backend Server
61. 61
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
OWN Infrastructures
INTERNET
IPIP Tunel
OpenVPN Server
VPN Client
Backend Server
Backend Server
Backend Server
Backend Server
Backend Server
VICTIMS
62. 62
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
P2P
INTERNET
P2P Network
Web Panel
Backup Server
VICTIMS
63. 63
Rooted CON 2014 6-7-8 Marzo // 6-7-8 March
Infrastructure
TOR
INTERNET
Web Panel
TOR
Network
VICTIMS