Mass attack by “Soldier” ensnares major US corporations in its net, steals $3.2 million in 6 months, causes organizations and individuals to be vulnerable to future attack — 90+ other countries hit by shrapnel.
Trend Micro Incorporated, the number one market leader in server and virtualization security, and the first to introduce agent-less anti-malware for virtual environments, which includes intrusion prevention and web application protection, made known its investigation of a cybercriminal, a Russian national in his 20s who has been targeting users in the US and Asia. The attacker goes by the name ‘Soldier’ in the criminal underground. He has been successful in increasing his network of infected users and has also been known to buytraffic from other cybercriminals. Besides using malware to steal money from the compromised accounts, user security credentials were also stolen.
During the investigation, Trend Micro discovered that the cybercriminal uses various criminal toolkits including SpyEye and ZeuS, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye/ZeuS binaries.
The Cyber Criminal's Money Laundering Process
Trend Micro Senior Threat Researcher Loucif Kharouni, who has been part of the team investigating Soldier said, “Using the SpyEye criminal toolkit, money mules and an accomplice believed to reside in Hollywood, USA, Soldier stole over $3.2 million US dollars in 6 months starting January 2011, which equates to approximately $533 thousand dollars per month, or $17 thousand dollars a day! He has really hit the jackpot.”
“Cybercriminals have been attacking and taking advantage of users to steal personal data and Trend Micro Threat Researchers are constantly looking, identifying and researching their activities, in order to protect our customers from such attacks,” added Kharouni.
Noteworthy Compromises
Using the IP addresses of the victims that were recorded by the SpyEye command and control server, Trend Micro was able to determine the network to which the IP address was assigned. A wide variety of large organizations and US multi-nationals in a variety of sectors were represented and a handful across 90 different countries globally.
Trend Micro does not believe these large organizations and US multi-nationals were originally the intended target but instead believe that they were impacted following enduser compromise. Control over bots(infected victim systems) is routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.
The victim IP addresses that were identified in the attack campaign included those belonging to the following types of organizations:
- · US Government (Local, State Federal)
- · US Military
- · Educational & Research Institutions
- · Banks
- · Airports
- · Other Companies (Automobile, Media, Technology)
C&C Infrastructure
The cybercriminal’s botnet was able to compromise approximately 25,394 systems between April 19, 2011 and June 29, 2011. And while nearly all of the victims were located in the US, there were a handful of victims spread across another 90 countries.
Additionally, SpyEye was built specifically for Windows systems and Windows XP led the way, making up 57% of the compromised computers. Despite its improvements in security, there were nearly 4,500 compromised Windows 7 computers.
Stolen Data
While SpyEye is known as a banking Trojan, it is quite capable of stealing all forms of credentials. Trend Micro processed the data for well known services and found that many credentials, especially for Facebook, had been stolen.
The SpyEye variant that was used for the above-mentioned operation is detected as TSPY_SPYEYE.EXEI. Trend Micro has also blocked access to related remote sites using our Web Reputation Service.
Analysis reveals that most of the stolen information were Facebook Credentials
Such information gives Trend Micro a clearer view of what goes on within a botnet as prominent as those created with SpyEye, attaining more information on how cybercriminals do business, their targets, and what kind of information they seek, hopefully leading to discover how to dismantle these operations and prevent them from stealing users’ hard-earned money.
Kharouni further says, “Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern.”
