Hi-Tech Crime Trends 2015

2 / HiGH-Tech Crime Trends 2015
Contents
INTRODUCTION..................................................................................................................... 3
KEY CONCLUSIONS............................................................................................................... 5
Decrease in losses, growth in total attacks.......................................................................................... 5
Increase of threats to mobile devices.................................................................................................... 6
“Russian hackers” re-target to the West............................................................................................... 6
Development of hacking infrastructure................................................................................................. 7
Launch of targeted attacks on major financial institutions................................................................. 7
Increased interest towards trading and brokerage systems............................................................... 8
FORECASTS FOR 2015 Q2 –2016 Q1....................................................................................... 9
Forecasts for Russia and the former Soviet Union............................................................................... 9
Forecasts for Europe and the USA......................................................................................................... 10
REVIEW OF CYBER-CRIME MARKETS..................................................................................... 11
DEVELOPMENTS DURING 2014 Q2 –2015 Q1.......................................................................... 12
Internet banking fraud in Russia............................................................................................................ 12
Internet banking fraud in the USA and Europe...................................................................................... 26
Targeted attacks on banks..................................................................................................................... 36
Attacks on tradig systems...................................................................................................................... 42
Trojans targeting the US and Europe..................................................................................................... 45
Other Trojans........................................................................................................................................... 46
ATM-reverses.......................................................................................................................................... 47
Attacks on ATMS..................................................................................................................................... 50
Card shops............................................................................................................................................... 57
Attacks on POS terminals....................................................................................................................... 59
ARRESTS DURING 2014 Q2 –2015 Q1..................................................................................... 64
Phisheye group........................................................................................................................................ 64
Android-trojan programmer & co-owner of the reich botnet............................................................... 66
Wap-look (Android-trojan)..................................................................................................................... 69
ABOUT GROUP-IB ................................................................................................................. 72

INTRODUCTION
Every year Group IB releases reports on the development of high tech and cyber-crime, describing new
tendencies and interesting emerging trends from recent months and forecasting future threats. This
report covers the second half of 2014 and the first half of 2015.
In last year’s report we primarily forecast the increase in targeted attacks on banks. This has been
mostly accurate and accordingly, in the second half of last year, the Anunak hacking group, also
known as Carbanak, carried out a series of thefts for hundreds of millions of Rubles from the banking
sector. However, after the publication of the co-authored Group IB and Fox-IT report, which outlined
the group’s methodology, they ceased their activity.
Despite this, as predicted, new hacking groups have appeared conducting similar attacks, for example,
the much discussed targeted attack on a Kazan based bank, which resulted in volatility on the currency
exchange market of over 10 Rubles to the US Dollar for a short period.
Our predictions of increased attacks on ATMs were also correct. Group IB has discovered new Trojans
and insider fraud, and also new equipment, including Blackbox, a tool which hackers developed
and installed on cash machines, allowing them to receive remote access to systems.
Following research and analysis of the threats to mobile devices, Group IB predicted an increase
in the amount of mobile Trojans that allow hackers to automatically transfer money from bank
accounts, sidestepping the most advanced bank security systems. This prediction was correct
in assessing the speed of development in this area of fraud and accordingly we have allocated
a specific section of this year’s report to this growing issue.
Another major forecast was a decrease in the amount of thefts from individuals, using Trojans which
reroute users to phishing sites. Thanks to the arrest of participants in one of the most aggressive
hacking groups using this scheme, the amount of thefts was not just lowered but completely stopped.
More details are provided in the Group IB completed investigations and arrested criminals section
of this report.
We also predicted an increase in the attacks on Russian internet and digital resources by hacktivists
and again were correct. Hackers affiliated with ISIS carried out over 600 attacks which Group IB
analysed and assessed in a separate report on their international activity.

As in our previous reports, we have focused attention on the threats presented by Russian hackers,
but this year we have given an overview of dangers to foreign banks and companies operating
in the financial services sector. Nevertheless, our conclusion is that, unfortunately, the most dangerous
banking botnets are affiliated with Russian hackers.
It is important to qualify at this point that there are a number of interpretations of the term “Russian
hackers”. In the Russian Federation criminal experts prefer to use this term in relation to citizens
of the Russian Federation operating within the country. However, in Europe and the USA, the term
“Russian hackers” is used not just to describe hackers of Russian nationality but also all citizens
and emigres from the former Soviet Union, who are connected by the Russian language.

KEY CONCLUSIONS
Decrease in losses, growth in total attacks
During the reporting period (QII 2014 – QI 2015) Group IB established that there was a decrease
in losses due to cyber-crime in the Russian Federation, despite a marked increase in the number
of criminal groups. The main targets of these groups continue to be internet banking systems and also
mobile banking. The decrease in the scale of thefts is linked, in part, to cyber-criminals changing
the targets of their attacks from Russian institutions to the West, the decrease in size of average
successful thefts, the arrest of a number of members of criminal groups (see section – Arrests)
and also the cessation of activities of one of the largest cyber-crime groups – Anunak (Carbanak).
• Total thefts from the Russian internet banking sector during the reporting period decreased
3,7 times to just over $42 085 420 (2,6 billion RUR).
• There is a transfer of activity from professional criminal groups using their own Trojans
to a larger number of less experienced hackers using purchased malware. During
the reporting period 16 new criminal groups were identified, the majority of which are using
malware targeting Android devices.
• More than 80% of thefts from legal entities were still carried out by three main groups: Cork,
Lurk and Kontur (Buhtrap).
Despite the decrease in total losses, the number of attacks has increased by multiples of ten.
The growth in the number of thefts is directly linked to the lower threshold and skillset required
to establish a cyber-crime group. This is as the basic programs required to carry out attacks can be
acquired on hacking forums for only a few thousand dollars.
• The total amount of groups stealing money from legal entities grew by 60%
• The total amount of groups attacking individuals with Android Trojans increased 160%
• The daily rate of thefts from individuals increased by a factor of three.

Increase of threats to mobile devices
The increase in the amount of users of mobile banking infrastructure has led to the development
of Trojans for smartphones and tablets, which have crowded out PC Trojans used in theft from
individuals. The number of criminal groups operating using mobile device Trojans has increased
dramatically. Mainly malware is being developed for use on the Android platform, with the majority
of cases targeting European banks.
• In the retail mobile banking sector, the total number of criminal groups in operation targeting
phones has increased by ten. All groups target individuals and the number of incidents has
increased by a factor of three.
• The losses to bank customers from Android Trojans totaled more than $987 388 (61 million
Rubles), exceeding total losses caused by Trojans on PCs.
• All new bank Trojans on the Android platform have the function to steal money automatically
and collect card data, therefore the bank of the victim is no longer important.
• Hackers are continuing to develop functions for Trojans which allow their operators to receive
total control of the victim’s telephone and receive: call history and SMS messages, access
to all files on the phone and information in cloud servers as well as geolocation data.
• Despite the steady increase in the number of criminal groups operating in the mobile device
sector more than half of all incidents were caused by three groups: Ada, Sizeprofit and March.
“Russian hackers” re-target to the West
Due to the devaluation of the Ruble, hackers from the former Soviet Union have now begun to attack
clients of Western Banks. Criminal groups which previously operated in the Russian Federation have
now begun to target the West.
• The twelve most widely used Trojans used for attacks on clients of European and US banks
were developed or operated by Russian speaking criminals.
• Last year bank Trojans using the Android operating system were mainly used in Russia,
however, now all new versions are being developed with ability to attack Western banks.
• There has been a marked increase in the amount of malware of Russian origin created
to target Western financial institutions.

Development of hacking infrastructure
There has been a continued development in the support infrastructure for cybercrime. Black hat
hackers and programmers have copied those operating in the legal business sector and are trying
to diversify their range of products, offering cheaper versions of malware programs with basic
functions and more expensive versions with a wider range of capabilities. Additionally, C2C (Cyber-
Crime to Cyber-Crime) services are continuing to develop, where hackers provide outsourcing
of routine or difficult criminal acts to other cyber-criminals.
• The turnover is growing on sales forums which offer bank card data, logins and passwords
for a range of systems.
• During the period Q2 2014 – Q1 2015 the turnover of just seven such shops was over
$2 508 938 (155 million Rubles).
• The market for data theft from POS terminals has broadened: active terminal skimmers
are on sale alongside firmware and services for their installation.
Launch of targeted attacks on major financial institutions
The amount of groups conducting targeted attacks has increased. Despite the decrease in activity
of the Anunak group after the publication of the Group IB report on their operations alongside the net
decrease in the total amount of successful attacks, the incidents themselves have become more
sophisticated, and the losses from each instance have become larger.
• Previously banks were only attacked by the Anunak group. But in 2015 two more groups
conducting targeted attacks on banks have emerged, which aim to receive access to money
transfer systems.
• Group IB identified successful attacks using ATM-reverses. The losses from these kind
of attacks constituted over $3 237 340 (200 million Rubles).
• A new type of attack was identified using Blackbox on ATMs. The cost of one such device
is around $40 000 but allows remote access and dispensation of cash from the exploited
ATM.
• The first targeted attack on the Universal Card System (ORS) took place causing losses
of around $8 093 350 (500 million Rubles). This attack did not take place during
the reporting period but is a prime example of this new trend.

Increased interest towards trading and brokerage systems
2015 became the first year when an attack on a trading system was conducted. This attack led to major
uncertainty on currency markets. The functions of several new malware programs now include
a separate section for use on trading systems.
• The first successful attack in Russia on a trading system took place causing the victim a net
loss of around over $5 million (300 million Rubles).
• The Corkow group introduced a module into their Trojan to operate on the QUIK
and TRANSAQ trading systems.
• The Anunak group, which last year attacked banks and payment systems, changed their
activity to focus on trading systems.
• In the West, the Dridex Trojan is being tested with the goal to conduct thefts from
the “E*TRADE Financial Corporation” system.
• Other Trojans such as Dyre, KINS (ZuesVM), ISFB (Gozi), and some versions of Zeus have
started to collect data on trading systems for future attacks.

FORECASTS FOR
2015 Q2 –2016 Q1
Forecasts for Russia and the former Soviet Union
1. Considering the overall movement away from using privately produced Trojans to more
accessible analogues, the amount of cyber-crime groups will increase.
2. Attacks on bank clients, using Trojans targeting personal computers, will cease.
3. The total amount of incidents and amount stolen will increase due to the availability of card
transfers on mobile devices and injects purportedly from banking institutions by hackers
onto smartphones.
4. The total number of cryptolocker incidents involving legal entities will increase.
5. The amount of phishing incidents targeting bank clients will increase due to the appearance
of new criminal groups and the automisation of theft using Trojan functions.
6. The effectiveness of Trojans using autofillers against legal entities will decrease due
to the introduction of new defense mechanisms by major banks, but perpetrators may shift
their attention to theft using remote access.
7. The total amount of POS terminal incidents will continue to grow as the number of programs
designed for this purpose continues to increase. Many of these programs are also readily
accessible.
8. The amount of targeted attacks will continue to grow as new criminal groups are expected
to begin activity, however, their effectiveness will remain low.

Forecasts for Europe and the USA
1. The number of Android Trojan incidents will increase due to the possibility to receive bank
card details from mobile devices.
2. The number of cryptolocker incidents involving legal entities will increase.
3. Programmers of ATM malware are yet to be arrested, therefore, the amount of incidents
of cash theft from ATMs will probably increase.
4. POS malware will become more complex and the number of attacks aiming to obtain bank
card data will increase, including incidents involving integrated circuit cards.
5. Incidents involved attacks on trading systems will become more frequent due
to the increased amount of Trojans targeting their activity.

REVIEW OF CYBER-CRIME
MARKETS
MarketsegmentinRussia
andtheCIS
NumberofCriminalgroups
Averagenumberofsuccessful
attacksperday
Totalaveragetheft
Totalstolenindailythefts
Q22014-Q12015(average
exchangerate57RURto$1)
Internet banking thefts
from legal entities
8 16 $ 7603 $ 121 663 $ 33 549 474
Internet banking thefts
from individuals
2 2 $ 1212 $ 2 424 $ 668 368
Thefts from individuals
using Android-Trojans
14 70 $ 55 $ 3 881 $ 1 070 263
Targeted attacks on banks 3 - $ 1 425 744 - $ 11 192 982
Laundering of stolen
money
- - - $ 57 585 $ 20 916 489
Turnover of card shops 7 - - - $ 2 724 822
Total $ 185 554 $ 70 122 399

DEVELOPMENTS DURING 2014
Q2 –2015 Q1
Internet banking fraud in Russia
In Russia, during the reporting period, a number of serious changes took place which have affected
cyber-criminal groups. In total six criminal groups have stopped operations due to a range of reasons.
In their place a larger number of fraudsters have appeared. We have separated these groups into
three categories as described below to provide an overview of current developments. In the tables,
the numbers of cyber-criminal groups and their type are outlined. The groups that have been crossed
out are no longer in activity. Groups which are listed as “new” have only recently begun their activity.
According to our estimates criminal groups have stolen a total of $42 885 399 (2 649 422 000 Rubles)
in the reporting period. Using this model, the market share appears as follows:
Image: Total thefts by type

Despite efforts to neutralize members of these criminal groups, their total number has grown
significantly. The main area of growth has been from groups using malware on the Android platform.
Groups targeting companies Groups targeting individuals
Groups targeting individuals using
Android-Trojans
Cork
Lurk
Shiz
Ranbyus
Infinity
ToplelNew
Kontur (Buhtrap)New
Uni_chthonicNew
ProsecutorNew
Kronos_NalogNew
YebotNew
Proxy
PhishEye
Infinity
Reich
Greff
March
Waplook
Ada
Ada2New
CronNew
ApiMapsNew
TarkNew
XrussNew
MobiAppsNew
SizeprofitNew
MikortaNew
WebmobilNew
Group 404New
Groups targeting companies: three of the five groups previously operating have stopped working
in the former Soviet Union. However, participants in these groups have not been arrested, nevertheless
their activity has completely stopped. The reasons for this are unclear. It is possible that they have
decided to change their type of fraud or refocus their activities on another region. The largest threats
in Russia are now Cork, Lurk and Buhtrap. These cyber-criminal groups have the largest botnets
and are most active in thefts from legal entities.
It is worth noting that all of the older cyber-criminal groups in this segment are using the same
methodology to spread their malware - Exploit Kits, and are expanding their botnets using redirected
traffic from compromised sites. Whereas, all the new groups are using spam to expand their
operations. Notwithstanding, the most active older groups (Cork, Lurk) are still using the same exploits
as previously, but with continued and considerable success. Their botnets are the largest and incidents
identified by Group-IB are most often linked to these groups.
The Lurk group previously attacked only clients using the Ibank2 banking system owned by Bifit.
However, since the start of 2015 they have edited their malware and it now supports activity on BSS
and other systems used by several major Russian banks.

All the new criminal groups are using remote access to commit thefts, allowing them to carry out
fraudulent operations directly, using the victim’s computer. The exception to this is the Kronos_Nalog
group which bought an autofiller system and began to use it to attack clients of one of the major
Russian banks. However, all their attempts have so far been unsuccessful. The autofiller interface used
by Kronos_Nalos is shown below:
Image: Autofiller system used by the Kronos_Nalog group

For remote access the following programs are generally used: HVNC, RMS, LiteManager, RDPdoor,
and AmmyAdmin.
Image: Statistics of incidents by group
Groups targeting individuals: previously three criminal groups targeted individuals on a constant
basis. Infinity group have stopped activity and members of the PhishEye group were arrested in 2015.
More information on this can be found in the Arrests section of this report. It is worth noting that
the remaining group, Proxy, has significantly lowered their activity following these arrests. As we
predicted in the last report, the activity of cyber-criminal groups working using Windows Trojans
to commit thefts from individuals has practically stopped.
However, thefts from banks’ clients have not stopped and new methods have emerged. At the current
time the main avenues of attack by cyber-criminals are through phishing or Android-Trojans.
Groups operating Android-Trojans for attacks on individuals: criminal groups in this category have
only stopped their activity due to arrests and/or criminal cases being opened against them. Many
of the participants in criminal groups engaged in this activity are located in Ukraine and this allows
them to continue their operations and evade punishment. Despite cooperation with law enforcement
against the Android-Trojan sector, this type of cyber-crime is increasing quickly. In the past year
Group-IB has discovered 1 816 867 infected Android devices in botnets designed to target bank
transactions.

The most widespread of these is the Opfake Trojan used by the Ada and Ada2 groups. This
is a relatively simple Trojan, but hackers have developed it further. Initially, functions for receiving bank
card data were added and then later a locker function was included. Screenshots of the control panel
and interface of this Trojan are displayed below:
Image: Opfake Trojan control panel
Image: Card page from the Opfake Trojan control panel

Image: Locker page from the Opfake Trojan control panel
The second most widespread Trojan during the reporting period became FakeInst.fz. It is used
by a range of groups including: Xruss, MobiApps, Mikorta, Webmobil, Sizeprofit. This Trojan is again
very simple and all groups use it for thefts through SMS banking. The screenshot of the interface below
shows that there is an available balance on 882 accounts with a net value of over 14 million Rubles:
Image: FakeInst.fz control panel

Private Trojans have always garnered more attention in investigations as they are used by specific
groups and cause more serious damage. The amount of incidents related to their use is generally lower,
however, these Trojans are generally better developed by professional programmers and their methods
for theft are more complex. One of the first groups that began to steal money using bank card data
was the March group. This group uses a private Trojan which they named Rahunok, which translates
from Ukrainian as “Account”. Another group which used a similar method was Reich group which
is described in the Arrests section of this report.
The control panel of the Rahunok Trojan is displayed below:
Image: Rahunok Control Panel
Another private Trojan of significant interest is Univert which has only recently begun to be used
on a significant scale by the ApiMaps group. This Trojan is of particular importance as it has a relatively
broad range of capabilities, not only for effective theft of funds but also for use as a tool for espionage
and blackmail. The current version of this malware has the following functions to:

• Receive bank card data during access to Google Play.
• Redirect SMS messages from specified numbers.
• Receive the Gmail address affiliated with the mobile device.
• Receive Gmail passwords that are affiliated with the mobile device.
• Lock the mobile device.
• Enable call interception.
• Receive calls, SMS and web history logs.
• Receive contact lists, apps lists, GPS coordinates and saved photographs.
An example of the command page from the new version of the botnet is provided below:
Image: Univert control panel

Image: Univert control panel
Another private Trojan operating via a complex theft method is Galf used by the Greff group. Aside from
thefts through SMS banking, it can conduct phishing attacks on accounts with larger bank balances.
In these phishing attacks cyber-criminals receive internet banking logins and passwords which give
them the ability to sidestep limits set on SMS banking transfers.
Image: Galf control panel

The FkToken.A Trojan also merits attention. According to its settings and a separate section named
“AZ” (autofill), this malware gives the user the ability to automatically transfer funds from banks’
clients’ accounts and payment systems. It is worth noting that in order to use autofill functions
the Trojan uses a separate server via an API interface.
Image: FkToken.A control panel

Image: Incidents committed by mobile Trojan groups
Groups such as Greff, March, ApiMapsNew, TarkNew, Group 404New , CronNew, use private Trojans
which are not currently for sale. The remaining groups use Trojans which are for sale on hacking
forums. Only very recently, in the first two quarters of 2015, did Group-IB begin to detect the following
announcements about the sale of Trojans for the Android platform:
Program name Attack regions Detection
GM Bot Worldwide, except Russia October 2014
Skunk March 2015
These two malware programs were created by the same programmer and are sold on deep web hacking
forums. The Skunk program has functions for interception and sending of SMS messages and allows
perpetrators the ability to use their own HTML/JS injects for any banking application to collect
authentication information, then used to gain access to internet banking.

GM bot has additional functions for the theft of bank card data and can automatically collection
authentication information to gain access to other accounts (non-banking) affiliated with the user.
Android bank Trojan, by «nobel» Worldwide April 2015
At the start of April 2015, the source code of an Android bank Trojan was offered for sale on deep web
hacking forums, allowing the user to intercept the following data:
• Internet banking and payment information
• Internet banking authentication information
• SMS messages
Image: «nobel» Trojan control panel

Android bank Trojan, by «httpskiller» Worldwide, Russian version in operation April 2015
At the end of April 2015 this new malware program for the intercept and sending of SMS messages,
redirection of calls and copying of bank card details was detected for sale on deep web hacking
forums. Interestingly, this program is sold in two versions: the first has basic functions, but the second
is adapted to work with banks and payment systems in the Russian Federation and allows
the perpetrator, using SMS requests to banks and payment systems, to automatically check
the balance of bank cards and transfer money onto specified accounts.
In June 2015, a cyber-criminal put his source code up for sale:
Image: «httpskiller» Trojan control panel

A short comparative review of active cyber-criminal groups of all three categories is provided
in the table below:
Group name Malware used Method of infection Method of theft
Lurk Lurk Angler exploit pack
Autofillers
Autocorrect
Cork
Corkow, RMS, HVNC,
AmmyAdmin
CottonCastle/Niterix exploit
pack
Remote access
ToplelNew Pony, RDPdoor
Email
Kontur (Buhtrap)New
NSIS.Downloader,
LiteManager
Uni_chthonicNew
Chthonic
(модификация
ZeusVM)
ProsecutorNew ChePro
Kronos_NalogNew
Kronos и система
автоподмены
YebotNew Yebot
Proxy Proxy.adder GrandSoft exploit pack
Social engineering
SIM replacement
Greff Galf
SMS
SMS banking
Phishing
March Marcher
CronNew Cron
Ada Opfake.A
SMS banking
Ada2New Opfake.A
ApiMapsNew Univert
TarkNew TarkBot
XrussNew FakeInst.fz
MobiAppsNew FakeInst.fz
MikortaNew FakeInst.fz
WebmobilNew FakeInst.fz
SizeprofitNew FakeInst.fz
Group 404New FkToken.C

Internet banking fraud in the USA and Europe
Group-IB has not yet examined how much money “Russian hackers” are stealing through fraud via
internet banking in the USA and Europe. But it is certain that their income from abroad is greater than
that from operations and fraud in Russia and the former Soviet Union.
Accordingly, it is of interest to assess which Trojans are used for attacks on the clients of European
and American banks. It is worth noting that all Trojans listed below without exception are developed
or operated by “Russian hackers”.
Trojan Total groups
Dyre (Dyreza) 1
Dridex (Bugat, Feodo, Cridex) >3
Qadars 1
Emotet 1
Vawtrak (Neverquest, Papras) 4
ISFB (Ursnif) 3
Kronos 2
MMBB (Money Maker Bank Bot) 2
Tinba (Zusy) >8
Zeus 2.0.8.9 >11
Citadel >17
KINS (ZeusVM) >18
There is no point in describing the workings of each Trojan in this report. There are many overviews
online that assess their functionality and characteristics in varied degrees of detail, and there
are descriptions of the operations of each group using them in previous reports.
In opposition to this, groups using private Trojans (Dyre, Dridex, Qadars, Emotet), are of significantly
more interest. This is as private Trojans are developed and used by only one group.

Dyre (Dyreza)
Of these, the most noticeable is the Dyre Trojan.
It infects the largest amount of financial institutions worldwide which it subsequently targets.
In the latest configuration files of this Trojan we found 862 domains whose traffic is directed through
the perpetrators servers: this included the domains of banks, payments systems and other financial
institutions.
The increased size of the botnet is linked to the fact that cyber-criminals using this Trojan have
improved its method of infection and circulation by using spam send outs through the victim’s email
contact list.
Below are pictures of the Dyre bot-net interface:
Image: Dyre control panel

Dridex (Bugat, Feodo, Cridex)
The second most dangerous Trojan in this reporting period is Dridex.
It uses web injects to operate autofillers and in the most recent configuration files, Group-IB identified
settings for 215 banks in various regions including: England, Italy, USA, Turkey, Spain, France, UAE, New
Zealand, Australia, Vietnam, Malaysia, Indonesia, Singapore, Croatia and Belgium.
This Trojan is of particular interest, as its developers have written autofiller code not just for banks
but also for trading systems, which is reviewed in the later sections of this report.
Image: Dridex control panel

Qadars
Qadars – is a solid example of private Trojans developed by “Russian hackers”. From an analysis
of attacks, the following regions were confirmed as targets: Australia, New Zealand, Germany, Italy,
USA, Canada and Scotland. Additionally, this Trojan can redirect traffic if the user accesses the site
of a Russian payment system - «okpay.com/ru/account/».
As in 2013, when this Trojan was initially detected, through 2014 and 2015 cyber-criminals using
Qadars have continued to use two readily available autofillers - ATS Engine and Tables.
Image: ATS Engine autofiller, used by Qadars criminal group
Image: Tables autofiller used by Qadars criminal group

Emotet
New modded versions of the Emotet bank Trojan have appeared, which extract data by sniffing traffic.
A new version of the Trojan is currently being circulated via Spam emails and targets German speaking
countries. After gaining access to the victim’s computer, this Trojan monitors traffic and receives
confidential user data when the victim accesses their internet banking system. Also, the new version
of this Trojan can steal user data (logins and passwords) in a similar manner from internet browsers,
mail clients, social media sites and messengers. The end targets of Emotet appear to be German,
Austrian and Swiss banks.
As with previously described Trojans of this type, Emotet uses web injects to conduct autofilling
and collect additional confidential data.
The creators of this Trojan have not carried out attacks in the former Soviet Union so as to remain
undetected. In general the attacks have been limited to a few German and Austrian banks. However,
in the code there are comments in Russian which indicates the involvement of “Russian hackers” in its
development.
Vawtrak (Neverquest, Papras) and ISFB (Ursnif) Trojans can be considered as a separate category
of malware. These are for sale but not to all comers and are only provided to a closed group
of individuals. Their designers are still perfecting these programs and provide technical support to their
clients.

Vawtrak (Neverquest, Papras)
During the reporting period Group-IB has registered usage of this Trojan by four separate groups
targeting victims in the following countries: USA, Canada, England, Romania, Indonesia, Malaysia,
Germany, Singapore, Greece, Spain and Croatia.
Perpetrators use two main methods to steal funds: autofillers and remote access.
Group-IB has not been able to examine the control panel of this Trojan but has discovered that it looks
similar to the control panel for a web inject system:
Image: Autofiller used by Vawtrak group

In the web inject script control panel there were 65 banks listed, primarily English entities.
Image: Field for adding new banks to the Autofiller system
The comments listed are of particular interest, written using the Latin alphabet but in Russian
language. These are provided translated in the table below. In some of these fields the balance
of the potential victim is also listed. According to the comments on accounts at just one of the English
banks, Group-IB estimated that the total compromised balances listed at this entity alone is over 120
million pounds.
Please note that the abbreviation «kk» listed in the commentary indicates one million (for example,
6kk represents 6 million), accordingly «k» represents a unit of one thousand (therefore, 115k = 115
thousand).
1 Balance is 77 thousand pounds
2
Balance is 500 thousand pounds, inter-UK.
There are no money mules both for chaps
and for big sums. Skip it yet
3
Account for authorization of payments, balance
is 2 million pounds

4
PIN: 1357 PASS: Aegis12
TM5-Payment approval - %Password21
Balance total 40 million pounds
Dual authorization
5
No function of payment approval. Balance is 18
million pounds.
Tried to transfer 2 million to China
6
Balance is 7 million pounds. Dual authorization
on.
It is better to transfer via ringing out
7
Balance is 15 million pounds, dual
authorization off.
No opportunity to establish sort code
for transfer. It is better to ring out
8
Balance is 70 thousand pounds. Pass:
shortie239
9 A lot of money, 30 million pounds
10
Account for payments authorization, balance
is 1,5 million pounds
11
No function of payment approval. Balance
is 115 thousand pounds.
12 Balance is 6 million pounds
13
400 and 100 thousand pounds, no code
for transfer
ISFB (Ursnif)
ISFB – is a bootkit working using web injects, supported on the following web browsers: Internet
Explorer, Firefox, Chrome and Opera. This Trojan has its own format of injects but also can run the more
traditional formats from the Zeus Trojan. Aside from this, it has functions to collect information from
data fields in internet browsers, take screenshots, copy cookies and security certificates.
We identified use of this bootkit by three groups: two using web injects and one using it for thefts via
remote access. These groups worked primarily in Australia, Germany, Italy, USA and New Zealand.
The Trojan itself is not of particular interest and pictures of its control panel are provided below:

Image: ISFB control panel
On 06.04.2015 on a deep web hacking forum an announcement was posted offering a modified version
of the ISFB banking bootkit for sale. This version has an added exploit for vulnerability CVE-2014-4113,
in the Windows kernel (Win32k.sys) which allows unsanctioned access to the computer (sidestepping
operating system restrictions) to run kernel code allowing the exploiter to raise their privileges
to the highest level (SYSTEM).

The seller of this modified version is a user with the username taco, but the developer of the initial
program is a cyber-criminal with the username x64. It is interesting to compare the pricing
by the original developer of the boot kit with that of the modded version:
Sales item Original version (x64) Modded version (taco)
Bootkit & loader $15 000 $7 000
Basic Trojan pack $12 000 $5 000
Configuration tool $4 500 -
Image: Sales announcement for the modified version of ISFB

Targeted attacks on banks
Anunak (Carbanak)
In the last Group-IB annual report we wrote about targeted attacks on banks. A little later
in December 2014, we published our first joint report with Fox-IT on the Anunak (Carbanak) criminal
group. The primary targets of this criminal group in Russia and the former Soviet Union are banks
and payment systems, while at the same time in Europe, the USA and Latin America, these hackers
more frequently attack retailers and media organisations.
Their main tool has consequently been Anunak malware, also known as Carbanak. The interface of this
program is shown below.
As is often the case, many of the computers infected by this malware had antivirus installed and active,
as can be seen in the AV column of the second picture below:
Image: Anunak Trojan Control Panel

Image: Anunak Trojan control panel
As of the publication of our report on Anunak in December 2014, members of this group had access
to the networks of over 50 Russian banks, 5 payment systems and 16 retailers – the majority of which
were located in the USA. However, the group had not launched an attack on a single American
or European bank. The total thefts involving these cyber-criminals currently totals over 1 billion Rubles,
the majority of which were stolen in the second half of 2014. More detailed information on the group,
their tactics, activity and methodology can be found in our report at: http://www.group-ib.com/files/
Anunak_APT_against_financial_institutions.pdf.
In February 2015 information was published that the Anunak (Carbanak) criminal group had carried out
attacks on foreign financial institutions (banks in Japan, the USA and the Netherlands). However, this
information turned out to be inaccurate, outside of Russian and Ukraine, attacks had only taken place
on retailers to receive card data.
Since December 2014, Anunak has had a lowered level of activity, however similar lulls have been
observed in the past. Starting from February, Group-IB has not registered a single new incident
in Russia involving this Trojan.

Corkow
There is one other botnet being used for targeted attacks on financial institutions – Corkow. As
of November 2014 this botnet encompassed over 250 000 infected devices in over 86 countries
worldwide, mainly in Russia and Ukraine.
By coincidence, Anunak curtailed their activity in February 2015 in the same month as Corkow started
to launch targeted attacks on banks. However, the Corkow group does not have any known ties
to Anunak.
From February to October, Group-IB has identified four successful attacks on banks by this group.
In two instances the development of these attacks was curtailed thanks to the Group-IB Bot-Trek
Cyber Intelligence system. Access to critical bank systems at this stage was already received
but the perpetrators were unable to exploit this further.
The first successful attack on a bank using access to a trading terminal for the Russian stock market
was identified. This will be described in the next section of this report.
Image: Corkow Trojan control panel
The tactics of Corkow differ from those used by the Anunak group:
1. In order to gain access to a target’s local network, phishing letters are not used, neither
are preparatory calls to the bank or discussions with employees, etc.
2. To gain access to the network perpetrators use the large Corkow Botnet.
3. Corkow is spread by Drive-by, meaning that perpetrators initially gain access to legitimate
websites and install their own malicious code which redirects visitors to the hackers’ server
using the CottonCastle exploit. If the user’s operating systems have not been updated then
Corkow malware is uploaded to their computer.

Country Code Relation Hosts Visitors Visitors Hits
Russia RU 1.0 26,823 26,744 % 88.50 27,564
Ukraine UA 1.0 2,321 2,311 % 7.65 2,345
Republic of Moldova MD 1.0 172 172 % 0.57 172
Germany DE 1.0 112 112 % 0.37 116
Israel IL 1.0 104 104 % 0.34 104
Latvia LV 1.0 84 84 % 0.28 84
Kyrgyzstan KG 1.1 70 69 % 0.23 76
Estonia EE 1.0 64 64 % 0.21 64
Uzbekistan UZ 1.0 62 62 % 0.21 63
Bulgaria BG 1.0 50 50 % 0.17 50
Georgia GE 1.0 46 46 % 0.15 46
Lithuania LT 1.0 43 43 % 0.14 43
Azerbaijan AZ 1.0 32 31 % 0.10 32
Canada CA 1.0 29 29 % 0.10 29
United Kingdom GB 1.0 27 27 % 0.09 27
Italy IT 1.0 22 22 % 0.07 22
Tajikistan TJ 1.0 19 19 % 0.06 19
France FR 1.1 18 18 % 0.06 19
Image: CottonCastle exploit control panel (Source – Malware don’t need Coffee)
4. Due to their access to and control of popular Russian websites, perpetrators are able
to redirect up to 800 thousand visitors to their servers on a daily basis. This figure
is comprised of the audience of all sites to which hackers have had access in a 24 hour
period. However, they have become more selective in their approach and do not use all sites
concurrently.

5. Once installed, the Corkow Trojan collects system data and redirects this to their servers.
After this the cyber-criminals only need to find infected devices at banks amongst their
bots. Group-IB Bot-trek TDS sensors are in place at a number of financial institutions
and, unfortunately, we register that currently Corkow malware is present on 80% of protected
corporate systems. Considering the method of delivery and analysis of infections on banks’
networks, we can confirm that all infections were conducted on a random basis. However,
as our previous investigations on Anunak group displayed, access to any computer
on a corporate network gives access to even the most highly protected banking systems.
6. If a bot is installed into a network that is of interest to the hacking group, this is then used
to upload one of the following remote access programs: AmmyAdmin, HVNC or RMS.
7. Using remote access, perpetrators then being to investigate the local network. In one incident
they received access to the Kaspersky Security Center server and used it to scan the local
network and install malware and remote access systems. The activity of this server did not
arouse the suspicions of IT or security staff.
8. As in the case of Anunak group, the perpetrators then received complete control
of the domain and mail server.
9. The characteristic feature of this group is that in all incidents they looked for servers
and staff computers which specifically handled bank card data.

To recap, Corkow is a private Trojan targeting the banking sector that has been in operation since 2011
and was used for thefts from bank clients right up to 2015. Only this year, did this cyber-criminal group
begin to conduct targeted attacks on banks.
The main functions of the Corkow malware and its modules are:
• Covert usage of the infected computer and avoidance of anti-virus systems.
• Theft of keys and passwords from internet bank systems running on IBANK2, iFOBS
and Sberbank Russia.
• Theft of all authentication forms in internet browsers using FG and Pony modules.
• Keylogging
• Spying on users: covert production and transmission of screenshots and video.
• Covert remote access to the infected computer
• QUIK and TRZQ modules used for theft from trading systems.

Attacks on tradig systems
Corkow in Russia and the CIS
In 2014, Corkow added a QUIK v.1.0. module to collect information on the Quik trading platform
that is operated by ARQA Technologies. In 2015, the developers of Corkow renewed this to v.1.1.
and released an additional module TRZQ v.1.0 to copy data from the TRANSAQ trading system from
CJSC Screen Market Systems.
In February 2015 the first successful attack on a trading system took place which caused a volatility
in the exchange rate of the Ruble from 55 to 66₽. The losses to this financial institution were estimated
at around 300 million Rubles, over $5 million.
The attack itself lasted only 14 minutes and during which the losses were sustained, however,
the preparations for this took place over a significantly longer timeframe.
Hackers gained access to a computer in the trading system in September 2014. From this time
the Trojan was functional and constantly updated itself to avoid detection by anti-virus software
installed at the bank which was functioning correctly. As of the Group-IB investigation into this
malware program in March 2015, Corkow v.7.118.1.1. had not been detected by a single anti-virus
program.
Image: Chronology of the Corkow attack on the trading system

From December 2014, the criminal group began to run keyloggers in the infected system.
On 27th February 2015, Corkow provided remote access to the trading system which allowed
the criminal group to launch programs and enter data at the same time as the bank’s users.
As a result of this unsanctioned access to the trading system terminal, the perpetrator, made a total
of seven purchases and sales of US dollars in the Dollar/Ruble exchange program. These operations
were as follows:
• “Market” orders which provide requests to buy or sell a specified amount of lots (for fixed
amount of foreign exchange) at the best prices offered in the trading system.
• “Removal” orders which provide a request to purchase the largest amount of currency
possible immediately after their registration in the trading system, and the remainder
is removed from the trading system.
Image: Тechnical analysis of the trades

In total 5 trades were made for the purchase of $437 million and two trades for the sale of $97 million.
However, only a small proportion of the trades were carried out in full, as a result $158 536 000 was
purchased and $93 925 000 was sold.
In the graph for trades on that day, you can see a sudden hike, showing the volatility of the exchange
from 55 to 66 Rubles.
14 minutes after the first trade request the hacker gave Corkow a command to delete itself from
the system along with the majority of traces of its activity.
The Corkow Trojan includes modules which are listed in the table below. The names of the modules
and their versions were received through analysis of DRAM archives in the infected system.
Module Version Description
MON 1.9.0 Collects information about the computer, accounts, OS and monitors processes
KLG 1.3.1 Keylogger
HVNC 2.0 Provides remote access to the computer
FG 2.0 Tracks websites visited by the user and collects authorisation data.
IB2 1.3.1 Copies data from the «IBank2» application.
SBRF 1.3.8 Copies data from the «Wclnt.exe» application.
AMY 1.4 Provides remote access to the computer using the Ammy Admin remote access
program.
iFOBS 1.6 Copies data from the «iFOBSClient.exe» application.
QUIK 1.1 Copies data from the Quik trading system.
TRZQ 1.0 Copies data from the TRANSAQ trading system.
The re-development of the old QUIK module and development of the new TRANSAQ module show
the Corkow group’s continued interest in targeting trading systems.

Trojans targeting the US and Europe
As opposed to the Russian and CIS sector, in Europe and the USA, cyber-criminals are significantly
more interested in trading systems. This is confirmed by analysis of several malware control panels
and configuration files.
Dridex
In the Dridex control panel there are special sections which are responsible for the settings
of autofillers for banks and trading systems. At the moment of investigation into this Trojan, an
autofiller for the E*TRADE Financial Corporation was active.
Autofiller settings allow cyber-criminals to control the actions are carried out on a trading system,
the balance limits employed, how many currency operations are conducted and give the ability to set
price limits. The images of settings below demonstrate the possibilities available to hackers using this
malware on an infected system.
Image: Menu in the Dridex
control panel
Image: Autofiller setting for ETrade in the Dridex control panel

Other Trojans
We have found similar functions in settings files in other malware programs. In order not to outline all
the features of each malware program again in full, an overview of this data is provided in the table
below. As we are not informed about the status of trading systems in other countries, searches
in the settings files of other Trojans was conducted using the keyword “trade”, and then a verification
was performed to confirm if this function relates to a trading systems:
Trojan Target Settings file data
Dyre invest.etrade.com.au <litem>
invest.etrade.com.au/Home.aspx
invest.etrade.com.au/*
vtovrirlmzw44081.com
srv_name
</litem>
Dyre subastas.scotiainlatrade.com <litem>
subastas.scotiainlatrade.com/SubastasAppWeb/login.jsp
subastas.scotiainlatrade.com/*
ywmlelxxwokxeffiddd58481.com
srv_name
</litem>
KINS https://www.dab-bank.com if (document.getElementById(“pass”).value == ‘’) {
alert(‘Bitte Trader Password eingeben!’);
document.getElementById(“pass”).select();
return false;
}
Zeus https://*.etrade.com/ set_url https://*.etrade.com/*
data_before
<body*>
data_end
data_inject
data_end
data_after
</body>
data_end
ISFB https://wintrade-international.
com.au
<head><script type=”text/javascript” src=”/AdvAnalytics/
M4OXOqnxBB.js” id=”MainInjFile” host=”” link=”/AdvAnalytics/
M4OXOqnxBB/?botID=@ID@&BotNet=@GROUP@&”
https=”true”></script>
https://wintrade-international.com.au/esis/Login/*
<head>

ATM-reverses
During the reporting period we identified a new and relatively interesting type of fraud, which was
named ATM-reverse. In Russia Group-IB identified 5 incidents at several different banks. This activity
began in summer 2014 and finished in the first quarter of 2015. The sums which perpetrators attempted
to steal drew a significant amount of attention to this method:
Month Bank Withdraw attempts
Bank 1 20 000 000 Rubles
July 2014 Bank 2 40 000 000 Rubles
November 2014 Bank 4 100 000 000 Rubles
Total 1 120 000 000 Rubles
The actual losses were significantly lower than their potential and perpetrators successfully stole only
250 million Rubles. In the final attempt, the criminals attempted to obtain a much larger sum but only
managed to receive 22 million Rubles in cash.
The attacks worked using the following methodology:
1. In the preparation phase, the cyber-criminal group received valid debt cards (in the period
from May to June 2015) and connected them to online banking services and received other
pre-paid unnamed cards.
2. At a planned time and date the perpetrators went to ATMs and paid in cash onto the cards
in sums of: 5000, 10000 and 30000 Rubles. This money was immediately credited
to the cards’ accounts.
3. Immediately after placing cash into the accounts the money was withdrawn at the same
bank machines, so that the operation remained with the same bank (on-us). This is important
as interbank cash transfer operations are verified differently and do not use any VISA
information, and accordingly would render the fraud unviable.

4. The ATM then printed receipts listing the successful credit of these funds. The data from
these receipts (RNN reference and amount withdrawn) was then sent to a remote accomplice
managing the process.
5. This accomplice holds access to thousands of compromised POS terminals. Using
this access and data from the receipts he then creates a reversal operation cancelling
the withdrawal of funds. POS terminals outside of Russia, usually in the USA and Czech
Republic were used for this step. At the terminal this looks as though goods were returned
or the payment was declined.
6. Further cancellation operations come through using the VISA payment system to the bank
acquirer.
7. The bank acquirer checks the matching RNN and additional fields. As the operation was
conducted inside of the bank, more fields provided by VISA are not verified. As a result
the operation that provided the withdrawal of funds is successfully cancelled and the money
is reaccredited to the account but cash also remains in the hands of the criminals.
8. This process is then repeated until there is no money remaining in the ATMs, providing
for the losses described above.
This scheme was possible as previously there were insufficient checks on cancelled card operations.
For example, to cancel card operations it should be necessary to identify the initial operation and cross
check data more specifically with the cancellation. The following fields should be verified:
• Field37 – retrievalReferenceNumber.
• Field38 – AuthorizationIdentificationResponse.
• Field62.2 – TransactionIdentifier.
This is not a full list of fields that need to be verified, in order to safely cancel an operation
and reallocate the balance to the card. Still these should include fields containing information about
the point of usage of the card and bank acquirer:
• CardAcceptorCityName.
• CardAcceptorCity.
• AcquiringInstitutionCountryCode.

Additional field checks would allow banks to avoid situations where money is paid out in one country
but cancelled through a different operation conducted in a totally different country. At the end of 2014
after several incidents of fraud, VISA issued a hotfix which allowed reversals to be blocked while
withdrawing funds from an ATM of one bank and reaccrediting through a separate terminal. However,
criminals managed to adapt their scheme and continue their fraud.
The new version is similar to the methodology described above. But as withdrawal operations are now
tracked and blocked, fraudsters have to carry out a transfer from a card at one bank to a card registered
at separate bank using the following scheme:
1. The balances of the cards used in the frauds were topped up, but instead of being withdrawn,
the funds were transferred to the account of a card at another bank.
2. The funds received in this transfer were withdrawn from the ATM of the respective bank.
3. As the same time, using a POS terminal the perpetrators cancelled the transfer of money
between the cards.
4. As a result the balance was successfully restored as in the first case, and the process
repeated.
In conclusion, the fraudsters exploited weaknesses in the withdrawal, transfer and verification stages
of card operations. Fraud using both methods (one of which was designed to sidestep the hotfix)
took place on VISA and MASTERCARD terminals. Money mules were used worldwide to conduct this
operation with individuals flying in from London, Ukraine, Latvia and Lithuania.
Until these thefts took place, the fraudsters conducted a range of tests and probes on ATMs and related
platforms at banks and their processing systems. Testing took place in England, Bulgaria, Romania
and the Baltic States.
Several court cases were opened against the perpetrators following the thefts under article 158 part 4,
paragraph B of the Russian law code (theft on a large scale).
At the current time this exploit has been patched on processing systems and recommendations have
been developed and introduced for acquirer banks and issuers working with VISA and MASTERCARD.
The transaction authorisation algorithm now has a verification process for matches in operation IDs
at bank acquirers. This allows it to verify which terminal has sent a cancellation request and if this
matches with the terminal where the original operation was conducted.

Attacks on ATMS
This year we have seen two new threats emerge for ATMs: Blackbox and Trojans used to attack cash
machines. Below we have described each of these issues:
Blackbox
In 2015 several devices were found in ATMs which allowed hackers to receive money from
the machine’s cash dispenser. Hackers called this device an ATM Pump, and it was designed
for NCR 58xx ATMs. During its creation, hackers learned a relatively large amount and implemented
the following functions for their new device:
• Wi-Fi capabilities.
• Start-up via remote access using a transmitter.
• Battery life within a bank machine for up to one month.
• Automatic launch and control over the ATM’s cash dispenser.
Inside the criminal group there were the following subdivisions of responsibilities:
1. Installers – these individuals found suitable ATMs and installed devices inside of the cash
machines.
2. Operators – individuals using remote access devices gave commands to their blackboxes
to issue cash through the dispenser.
3. Cash mules – individuals enlisted to collect cash from machines when Operators are issuing
commands to the ATM to dispense cash.
In order to install a blackbox, physical access to an ATM is required. After finding a suitable cash
machine, members of the criminal group break it open and connect their device to the body
of the machine with two ribbon cables.

Image: Device for installation onto an ATM
The legitimate initial ribbon cable inside the ATM is disconnected and in its place one of the cables
from the ATM Pump is connected. The legitimate initial ribbon cable which was removed is then
connected to the ATM Pump’s second ribbon cable. In this manner the ATM pump acts as an
intermediary, allowing fraudsters to manipulate the cash machine dispenser.
After successful installation, the ATM is closed and the device is activated using a transmitter.
Once the ATM has been filled with cash, the Operator gives a command to issue cash, which is then
collected by a money mule.
The loss of each these devices is very costly for a criminal group. The hardware required to build
each unit costs around $40 000 alone, despite its loss, income from using these devices easily covers
the criminal group’s investment in preparing, delivering, installing and losing them and then splitting
cash between participants in the fraud.

Trojans
At the end of 2014 in the Russian Federation a criminal group was detected looking for insiders at
banks to install their malware on to Diebold ATMs. The group planned to install Trojans onto ATMs
in major hotels in Moscow and St Petersburg. The targets of the criminal group were foreign tourists,
with the criminal group hoping that thefts from visitors to Russia would remain undetected for a long
period of time and their malware would remain uninvestigated.
As a result of investigations Group-IB discovered three files used in this incident on ATMs:
Filename MD5
E15C0740DF3B835B.exe E0131B4210D57A1F1A1C5916FAC9D9A6
SpiService.exe A27A7405882BFC961CD02B6A327F0793
SpiService.exe:740DF3B835B.exe A7441033925C390DDFC360B545750FF4
After launch, program «E15C0740DF3B835B.exe» modifies the file «C:Program FilesDiebold
AgilisXFSbinSpiService.exe» and creates a file «C:Program FilesDieboldAgilisXFSbinSpiService.
exe:netmgr.dll» sized 1 241 600 bytes, MD5: A7441033925C390DDFC360B545750FF4. The modification
includes changes to access points to the SpiService.exe» file so when «C:Program FilesDiebold
AgilisXFSbinSpiService.exe:740DF3B835B», is launched it then carries out the main functions
of the program.
The «SpiService.exe» program purports itself to be a file with a changed access point. Before starting
to operate it uploads «C:Program FilesDieboldAgilisXFSbinSpiService.exe:740DF3B835B»
to the library, which is a hidden NTFS flow.
The «SpiService.exe:740DF3B835B.exe» purports to be a program, allowing itself, with the assistance
of DbdDevAPI, to work with PINPAD and the Diebold ATM dispenser, which gives the perpetrator
the ability to issue commands to remove all cash from the ATM. Further functions of the program
are described below in more detail.

Sequence of events after program launch:
• The program introduces its code into the C:dieboldexemu.exe» process.
• Creates log files.
• Installs intercepts on machine functions and waits for a “master card” with specific
information loaded on it, to be entered into the ATM to activate a dialogue window (described
in the Main Functions section below).
This process causes the following changes to the system file. Information collected by the program
is stored in log files:
• C:WINDOWSTemp:attrib1 – file with transactions.
• C:WINDOWSTemp:attrib4 – file with keys.
• C:WINDOWSTemp:mk32.
• C:WINDOWSTemp:opt – service FAI-flag.
If the file system does not contain alternate routes, then the log files have the following locations:
• Tempattrib.
• Tempattrib4.
• Tempmk32.
Main Functions
• The «DbdDevExecute» function intercept analyses the second parameter of functions
and takes different actions depending on its value:
Value of second
parameter
Action
10007 Zeros fourth parameter.
10009 Saves 2 structural elements transmitted in the 4th
parameter in file: «C:WINDOWS
Temp:attrib1». Elements offset value 4 and 32.
10013 Saves structural elements, transmitted in the 4th
parameter to global variables. Element
offset 8. In future this variable is used to enter information onscreen as «MAC_ID».
10014 Saves structural elements transmitted in the 4th
parameter as global variables. Elements
with offsets 56, 24, 122.

• The «EppExchange» intercept function analyses the 5th parameter without changing it
and then saves it to a log file.
• It introduces its own code to the «C:dieboldexemu.exe» process.
• If log files for the program are not updated in a 48 hour period, the program turns off
the operating system.
• The information collected in the log files can be printed using the function:
DbdDevExecute(RECEIPT_PRINTER_EJECT), DbdDevExecute(RECEIPT_PRINTER_START_
GDI).
• Also, there are functions in the program to extract the following information from log files:
Transactions
Cards
Non Local
Master KEYs
MAC_ID
• Cards put into the ATM are analysed using the «DbdDevRegisterCallback» intercept
function. The information received is converted and compared with constants «228183B5h»
and «1F876B63h».
• If a bank card with specific information is put into the ATM a dialogue box opens with the title
«6.29 KOREAN» and the text «Enter command:».
• Before carrying out any commands the program saves files named «C:Program Files
DieboldAMIAMITRACEAMITrace.txt» and «C:windowsEpsStmApi.log» as temporary
files. After carrying out program functions, these are overwritten by the original files
and the temporary files are deleted. It appears that, in this manner, information about
commands carried out in the system are removed from the operation log files of the device.
• The malware then analyses the commands entered on the ATM keypad, which can be carried
out using the command codes outlined below:

Command
Number
Command description
1 The program deletes its log files and ceases activity
2 The program displays a window named «ATMDialog» with information about data received
from log files in the format:
Transactions
Cards Loc= srv5= Exp= ok
Track3 ok
InstrumentID
4 Restarts the OS
5 Loads and launches program file
7 The program generates a number sequence of six digits and on the basis of this a second
sequence. It then opens a window named «Autorization», with text «Request Code: <first
number sequence>», «Enter Responce» and then awaits input from the keypad. The data
entered is then compared with the second sequence. If it matches a second window opens
with the title
«Enter Command» and text «1..4 - dispense cassete 9 – Uninstall 0 - Exit». After which it again
awaits input from the keypad.
8 Displays information from service windows of the ATM OS.
9 Writes log files onto the card and resets
20 Can launch an information window with data on program versions, received from the key
register «version» from the following nodes:
«SOFTWAREDieboldAMI for Opteva»
«SOFTWAREDieboldAgilis Module Interface for Opteva» «SOFTWAREDieboldAgilis XFS
for Opteva»
21 Displays information on program settings in the format:
Grab mode
Deco mode
Key mode
Use locals
Auto delete
ReturnOnCode
34 Analyses the following files:
«c:Program FilesDieboldAbcmessage.trc»
«c:Dieboldcssmessage.trc».
Files are analysed for presence of transactions and communications keys (COM keys),
transactions are logged in the «WindowsTemp:attrib1» file, communications keys are logged
in the «WindowsTemp:attrib4» file.
50-59 Installs intercepts on the following functions «send», «WSASend» from library «ws2_32.
dll», and creates a mutex named «mode6main». These intercepts analyse the data collected
and verify if they are no larger than two bytes and if the first 2 bytes are equal to 3131h, it then
modifies them and saves them to a log file.

Modified Tyupkin malware
In March 2015 Group IB discovered sales of the modified Tyupkin Trojan. This Trojan allows cyber-
criminals to pay out all cash stored in an ATM. The programmer of this modification was looking
for partners to upload this Trojan to ATMs worldwide. The sale was offered on the following conditions:
the buyer places $5000 in a guarantee service on a closed hacking forum and receives the Trojan file
and Track2 which he must write onto any plastic card. This card acts as a key to activate the Trojan.
After this, the buyer must upload the Trojan to the USB port of the ATM. The perpetrator is then advised
to wait until the cash machine is restocked with cash and then take out all of the funds. After this,
he is required to transfer 40% of the total to the programmer of the Trojan. In this manner, the threat
of theft using this type of malware continues.
Unfortunately, it was not possible reach an agreement with the programmer of this Trojan to provide
the malware for free, therefore, more detailed analysis is unavailable.
Image: Sales of the modified Tyupkin Trojan

Card shops
Last year Group-IB researched carding and performed detailed analysis on copies of the servers
of sites engaged in the sale of text data on bank cards (including their card number, expiry dates,
owners’ name and address as well as CVV) and dumps (magnetic strip data).
Not all card data that was offered for sale on these sites was being bought. Some data was not
in demand and unusable as the validity of cards has expired and thus held no value.
Thanks to the fact that admins of these sites keep detailed records of how many cards are uploaded
to their shops by each provider and how many of them are sold, Group-IB was able to estimate
the average number of cards sold out of those uploaded. On average 33.56% of cards uploaded
to a shop by sellers are sold successfully. The smaller the release of data, the higher the percent
of sales. See data below from our analysis of swiped1.su, a site which sells card dumps:
Seller name Total uploaded cards Total cards sold Ratio of uploads to sales
Black 402 150 70 478 17,53%
Bish 128 823 27 276 21,17%
Rox 110 183 22 156 20,11%
Big-big 55 098 19 172 34,80%
Bigbi1 65 872 13 571 20,60%
Nobody 30 905 11 988 38,79%
First 29 324 11 063 37,73%
Track1 14 652 8 554 58,38%
Eures 15 832 8 375 52,90%
Net Average 33,56%
This year we conducted research of several shops engaged in the sale of text data and card dumps
which are related to the activities of “Russian hackers”.
The market price of a card dump is on average ten times more than the cost of text information
about a card as it provides more possibilities to conduct fraud. Therefore, we divided shops into two
categories - those that sell text information and those that sell dumps. Some shops have skins /
mirrors, therefore, these have not been included in our analysis.

For each type of shop we estimated how many cards were uploaded during the reporting period. For
some shops Group-IB was unable to receive data on the dates of card uploads, therefore, we cannot
confirm if these coincide with the reporting period and have not included them in our estimates.
Card dumps were only on sale in four shops, where 155 749 dumps were uploaded, but in three
other shops, card text information was available on 2 502 137 cards. Considering that the average
purchase rate is only 33.56% of total uploaded cards, and knowing that the average cost of text data
is $2 and the average cost of card dumps is $20, Group IB estimated the turnover of each shop below.
The total turnover of all shops was $2 724 822.
Shop website Mirrors Type of shop Total cards
Card upload
period
Shop
turnover
https://rescator.cm/ Rescator.so
Rescator.cc
Octavian.so
Octavian.cm
Card dumps 79 357 07.2014-06.2015 $532 644
https://swipebz.org/ Card dumps 28 715 11.2014-06.2015 $192 735
http://zeon.io Card dumps 18 761 02.2015-06.2015 $125 924
www.validcc.su Card dumps 28 916 09.2014-06.2015 $194 084
http://tormarket.cc/ ccguru.su
cardmarket.cc
dvshop.su
getcvvs.ru
Card Text data 207 311 07.2014-06.2015 $139 147
https://cvv.me Card Text data 206 9740 07.2014-06.2015 $1 389 209
http://centralshop.cn/ mr-anderson.cn
qhd6aon2fyjjan4e.
onion
Card Text data 225 086 11.2014-06.2015 $151 078
Net turnover: $2 724 822

Attacks on POS terminals
This sector continues to develop at a very fast rate. At the current time threats can be divided into two
categories: fake POS terminals and Trojans for POS terminals, along with related services.
Fake POS terminals
Perpetrators are searching for insiders working in retail who are willing to work for a percent of profits.
See below for an example:
Image: Post requesting insiders working in retail to partner for operations using fake POS terminals
Analysis of hacking forums showed that cyber-criminals have built up an entire business segment
on the sale of POS terminal firmware which turns these devices into skimmers. Some cyber-criminals
are selling “jailbroken” POS terminals, others are selling just firmware and hackers in another sector
of the market offer to jailbreak terminals for a fee or for a percent of dumps collected.
The example below is an announcement for the sale of firmware for the Verifone VX 670 POS terminal.
The author of the post is offering a jailbreak kit which includes:
• Firmware for Verifone VX 670.
• Required software.
• Instructions.

This firmware allows the user to collect the victim’s bank card data. The perpetrator can then receive
the following information:
• Track 1.
• Тrack 2.
• Magnetic strip dump and card PIN.
There are two methods to transfer compromised card data to cyber-criminals:
• Relay though SMS messages.
• Direct upload to a personal computer.
Initially the price for this kit was $350, but on 12.01.2015 this price was lowered to $80. Also, the author
of the post offers cables for jailbreaking for $50.
Image: Post advertising the sale of firmware for the Verifone VX 670 POS terminals
Aside from firmware, terminals that are already compromised are on offer for very accessible prices.
For example, an infected Verifone VX 670 terminal costs 15 000 Rubles , аnd Verifone VX 510 – 20 000
Rubles.

Trojans for POS terminals
Cyber-criminals are attempting to automate the infection process for POS terminals in order to infect
a larger amount of devices. On one deep web hacking forum, Group-IB recorded the sale of scripts
for automation of Metasploit with the aim of searching for vulnerabilities in POS terminals and then
infecting them with JackPos malware. The seller of this tool states that it allows the user to infect 10 –
20 POS terminals out of each million scanned IP addresses. Instead of JackPos, any other Trojan can
be used as of the first half of 2015.
To start, the user only requires:
• Metasploit Framework.
• Zmap open port scanner.
• A working version of any of the major POS terminal Trojans.
Memory Scraper
In January 2015 the Memory Scraper Trojan was released for sale. This allows cyber-criminals
to compromise card data processed on infected POS terminals (track 1 and track 2). The Trojan infects
electronic cashier systems running on the Windows platform only. Additionally, the Trojan also has
a range of other functions:
• Increased stability – it writes its own (VFS) system file and changes the partition table
in the main boot record (MBR) – this allows the Trojan to run on a systems level while
on the infected device.
• A key logger function which allows all keystrokes to be mapped on the computer and allows
the user to apply special filters on specific URLs.
• A Memory / RAM Scraping function that allows the user to scan the systems memory for any
data similar in structure to Track 1 and Track 2.
• Uses injection techniques similar to CodeCave to launch other malware which allows the CPU
to not be overloaded during memory scans.
• It installs and launches registry keys inside of ActiveStartup (Ring 3 rootkits used
to guarantee the register key will be hidden during examination).
This malware also uses a 0day exploit in order to bypass system user control and receive administrator
privileges. The price of Memory Scraper is around $2000.

PoSeidon
In March, Cisco published a report on another POS terminal Trojan – PoSeidon. This Trojan, like many
of its predecessors, receives card data from RAM and also has an inbuilt keylogger function.
We conducted a sinkhole of the PoSeidon botnet and discovered that it has compromised over 2800
bank cards, 99% of these were issued by US banks.
PwnPOS
At the start of March, staff at Trend Micro discovered another POS Trojan called PwnPOS. They were
able to confirm that this type of Trojan has existed since 2013. PwnPOS registers all active systems
processes and searches for card data, saving it in a separate file which is then archived and encrypted.
This file is then send as an email to a predefined email address.
Punkey
In April a new set of POS terminal malware programs was detected. These work using the same
principles as Memory Scraper. The Trojan spreads using remote access programs, after the victim
visits attack sites, or via spam. At the current time Punkey is not widely used, however, in the USA over
100 POS terminals have been reportedly infected by this malware.
NitlovePOS
In May the NitlovePOS Trojan was discovered, which scans active processes on an infected device
and intercepts track 1 and track 2 data along with card dumps. It then sends this data to a control SSL
server. This Trojan appears to be spread via spam, using attached word files which contain malicious
macros.
MalumPoS
In June information appeared on the MalumPos Trojan which works on similar principals to memory
scraper, attacking the hotel and retail industry in the USA. The Trojan operates on weaknesses
and exploits in POS systems running on Oracle Micros.
At the current time Oracle Micros is broadly used in the USA and is partly in use in other countries
in the retail, food and hotel industries. MalumPos disguises itself in infected systems as an NVIDIA
driver, which allows it to remain undetected.

Aside from Oracle Micros, the target systems of MalumPoS are Oracle Forms, Shift4 and platforms
which give access to internet explorer. The Trojan uses regular expressions to analyze data and check
for credit card information. It targets card data for Visa, MasterCard, American Express, Discover
and Diners Club cards.
Aside from these new Trojans, older and widely studied malware for POS terminals is still in use. Many
of these are now popular and widely available, for example, Alina, Dexter and JackPos.

ARRESTS DURING 2014
Q2 –2015 Q1
Phisheye group
On 2nd
June 2015 in Moscow, the FSB Centre for IT security, Moscow Ministry of Internal Affairs Anti-
Corruption and Economic Security department and Investigative Bureau took part in an operation
alongside Group-IB and Sberbank security staff to arrest members of the PhishEye cyber-crime group.
This criminal group had been accessing the accounts of bank clients using malware and social
engineering, posing as bank staff to deceive victims into providing SMS authorization codes, which
were then used for the theft of funds.
During the course of the investigation into this case, the organisers of the criminal group were identified
as two twin brothers living in St Petersburg. At the time of the enquiry these individuals were under
conditional sentences and probation for similar crimes (article 272 of the Russian Law Code – illegal
access to computer information, article 273 of the Russian Law Code – creation and use of malware
programs and article 159.6 of the Russian Law
Code – fraud using computer information).
The pair returned to their activity at
the end of 2011 but Group IB was only able
to identify them towards the middle of 2012.
From that time, using the Bot-Trek Cyber
Intelligence system, law enforcement officials,
with support from Group-IB, carried out
constant investigations to collect evidence
for a criminal case. The brothers continued
to engage in cyber-criminal activity while
their earlier criminal case was moving through
the Russian court system. Group-IB staff
and law enforcement agents were already
aware during the initial judicial proceedings
that the pair were continuing to steal money
from bank accounts, but providing evidence
at that moment in time was not possible. It
took three years to collect sufficient evidence
for convictions.
Image: Picture from the search of the perpetrators’ flat

On 20th
May 2015, a mass arrest took place on the organisers of this criminal group and their
accomplices. During the raid on the twin brothers’ flat it became clear that they were well prepared
for activity from law enforcement agencies: their apartment had an armored door, an electro-magnetic
radiator to destroy computer equipment and they had even prepared coded SMS messages which
were designed to indicate to any member of the criminal group that it was necessary to destroy
evidence of their crimes. In their panic at the beginning of the raid, the criminals attempted to destroy
all evidence and even flush their cash down the toilet along with USB keys and telephones. However,
despite this, the raid and arrests were still able to collect all required evidence and computers, which
were taken to the Group-IB crime lab for further analysis and expert appraisal.

Android-trojan programmer & co-owner of the reich botnet
In March 2015, members of Agency K of the Ministry of Internal Affairs of Russia and departments
from the Ministry of Internal Affairs in Sverdlovsk and Chelyabinsk regions along with Group-IB staff
neutralized the activity of a cyber-criminal group that was carrying out thefts from client accounts at
one of Russia’s largest banks.
Due to the work carried out by field agents, the Sberbank security team and Group-IB staff, it was
possible to locate the creator of the Svpeng Android Trojan, a 25 year old inhabitant of Chelyabinsk
region. Aside from this individual, four other people were involved in his criminal group. The hackers
called their program the 5th Reich, but in its control panel they used a Nazi symbol, shown below, due
to this the criminal group was codenamed – the Fascists.
Image: Control panel of the Reich Android Trojan (Svpeng)

Image: Control panel of the Reich Android Trojan (Svpeng)
These arrests were the second incident where cyber-criminals and developers of malware were
arrested for thefts from bank accounts using Android-Trojans.
At the current time the participants in this criminal group are in prison and have issued confessions.
They stand accused of breaking article 158 of the Russian Law Code (theft) and Article 273
of the Russian Law Code (creation, use and distribution of malicious computer programs).
One of the criminals involved in this group who controlled infected Android devices is currently
in hiding in Ukraine.
The first reports about the malware program used by this criminal group appeared in July 2013. It
was immediately clear that this Trojan was created to steal from bank accounts. Over time the Trojan
evolved and new functions were added which allowed users to steal more effectively. One of the first
methods to commit fraud using this program was through SMS banking (using a cash transfer
procedure employing a specially formatted SMS sent to the bank’s telephone number). Using this
approach, it was not necessary to know user logins or passwords. Confirmation of transfers took place
by sending an SMS code to a special bank number and as the criminals had the ability to manipulate
this SMS they were able to steal using transfers.

Later this group of cyber-criminals started to collect bank card information using phishing pages
online. The malware, after being installed on the victim’s mobile phone, checks to see if Google Play
is running. If the device launches this program, then the Trojan shows an additional window “above”
Google Play with the option of entering bank card information as shown in the pictures below:
Image: screenshots of the windows opened by the Trojan
After the user has entered their card information, this data is transferred to the cyber-criminals’ server
where scripts check to see if the card details have been entered correctly. If the data is accurate then
the user receives a notification using Jabber protocol in real time.
Later the hackers developed their own phishing pages for several Russian and Ukrainian banks, using
these pages they did not receive card data but logins and passwords for internet banking. When a user
launched their banking application, the Trojan changed the original window to a phishing resource,
and when the user entered data into the fields provided it was then sent to the cyber-criminals’ server.
Using logins, passwords and having access to the victim’s SMS inbox, and accordingly SMS codes sent
by banks, the perpetrator was then able to successfully make bank transfers.
This malware was spread by SMS, in messages there were links for download of malware that looked
like Adobe Flash Player, during installation this malware first requested and then received administrator
rights.

Wap-look (Android-trojan)
On 9th
September 2014 two inhabitants of Arkhangelsk were arrested, born in 1989 and 1990
respectively. A criminal case was opened against them for breaking part 2 of article 158 of the Russian
Law Code (theft). The cyber-criminals rented a flat to conduct their illegal activity, where they came
to work together. Due to the successful actions by the Ministry of Internal Affairs, the pair were arrested
concurrently during a meeting at this address. One of the criminals has been sentenced to two months
prison and the other has had travel restrictions imposed.
In October 2013, Sberbank Russia began to register a serious increase of the load on their SMS banking
infrastructure. This strain was caused by a large increase in the number of legitimate requests from
individuals’ mobile banking, but also by attempts by cyber-criminals to steal cash from their accounts.
Investigations revealed that tablets and smartphones on the Android operating system were infected
by malware, identified by antivirus programs as «Trojan-Banker.AndroidOS.Basser». This malware
program, after successful installation, sent SMS messages to the 900 Sberbank number with the text
BALANS. The malware then forwarded the reply, containing bank balance data, to the criminals’
server. If the balance was not zero, the program then hid all notifications from the bank on the infected
telephone and engaged in attempts to send money from the bank accounts linked with the infected
device to mobile phones and bank accounts under control of the perpetrators for sums of 1000 Rubles
or 4000 Rubles respectively.
Image: Authentication window in the control panel
used by the Wap-look group

Image: Control panel used by the Wap-look group
At the very beginning of their malware program operations, the Wap-look cyber-criminals used spam
messages sent via SMS-gateways belonging to the JSC SMARTS company to infect devices. These
malicious texts were sent from “RomanticVK” or “VK_Gift” with the following text:
“One Romantic gift for you! See it at: http://vk.cc/1USKZa».” After opening this link the mobile device
downloaded the malware.
However, after the first successful results from the first wave of thefts, the cyber-criminals took a short
pause to rewrite their malware and control panel and in 2014 continued illegal activity which has been
successfully documented by staff from the Ministry of Internal Affairs.

Image: Control panel used by the Wap-look group
The organiser of this criminal group started their activity in 2010 as a developer of malware
and appeared online using the pseudonyms «ItBill» and «tripfon». Also, in 2010 this individual had
a web scraping tool for mobile payments. The skills developed on this mobile platform project allowed
the perpetrator to create a large mobile device botnet relatively quickly.

ABOUT GROUP-IB
Group-IB is one of the leading international companies specializing in preventing and investigating
high- tech cyber crimes and fraud. The company offers a range of services on preventing financial
and reputational damages, consulting and auditing of information security systems, and on computer
forensics. The company also develops a number of innovative software products Bot-Trek used
to monitor, detect and prevent emerging cyber threats.
The Group-IB team is made up of experts with unique skills and solid practical experience. They
are internationally certified by CISSP, CISA, CISM, CEH, CWSP, GCFA, and also have information security
state certificates. In 2013, computer security incident response team CERT-GIB operated by Group-IB
became a member of FIRST - Forum of Incident Response and Security Teams.
Group-IB has the largest forensic laboratory in Eastern Europe that is involved in 80% of all high-profile
investigation cases in the field of high-tech crime.
www.group-ib.com

+7 (495) 984-33-64
www.group-ib.com
info@group-ib.com
facebook.com/groupib
youtube.com/groupib
twitter.com/groupib
linkedin/company/group-ib

Hi-Tech Crime Trends 2015

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Hi-Tech Crime Trends 2015

Similar to Hi-Tech Crime Trends 2015 (20)

Recently uploaded

Recently uploaded (20)

Hi-Tech Crime Trends 2015