SlideShare uma empresa Scribd logo

Sopelka VS Eurograbber - Really 36 million EUR?

J
Jose Miguel Esparza

Sopelka botnet started life in May 2012 and was taken down by end of September of past year. This botnet was especial because it was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel, sending data to the same panel. Its main objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also The Netherlands and Italy. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones to bypass two factor authentication. In December 2012 a "new" banking malware report was published, claiming that this trojan had stolen more than 36 million EUR from different European banks. This report and, above all, the stolen amounts were quickly published everywhere, but, in fact, this incident had a lot in common with Sopelka botnet and some details needed to be explained...really 36 million EUR?

TecnologiaNegócios
1 de 78
Sopelka VS Eurograbber Really 36 million EUR?? Jose Miguel Esparza Mikel Gastesi @EternalTodo @mgastesi
Who are these geeks? • Mikel Gastesi – S21sec Advanced Cybersecurity Services • Jose Miguel Esparza – ex-S21 – Fox-IT Cybercrime
Agenda • Introduction • Sopelka Botnet • Eurograbber • Conclusions
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really?
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really? – Eurograbber – 36 million EUR??!!
3 botnets and 1 panel? WTF??? Trojan C&C Config URLs, etc Injects
3 botnets and 1 panel? WTF??? Trojan C&C 2nd C&C Config URLs, etc Injects
Example 1 – N
Example 1 – N
Sopelka Botnet - Campaigns Campaign Date Trojan Path Countries Sopelka1 01/05 30/05 Citadel 1.3.4.0 /sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin ES,DE, NL Sopelka2 01/05 30/05 Citadel 1.3.4.0 /sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin ES Tatanga 15/06 15/07 Tatanga /sec/g.php IT, ES, DE, NL Feodo 15/06 15/07 Feodo /zb/v_01_a/in/cp.php ES,NL, DE, IT Sopelka3 15/08 24/09 Citadel 1.3.4.5 /sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin ES, DE
Sopelka Botnet – Infection (I) • Exploit Kit: BlackHole
Sopelka Botnet – Infection (II) • SPAM
Sopelka Botnet - Injects • Minimal HTML code in the config file – External Javascript files – One file per affected entity – Downloading via PHP file • https://domain.com/dir/get.php/campaignDir/?name =inject.js – Same technique used in the 3 malware families – Tatanga URL (Injects server?) • x.php?cmdid=8&gettype=js&id=inyeccion.js&uid=0000
Sopelka Botnet - Injects • Citadel • Tatanga
Sopelka Botnet - Injects • Tatanga strings in a Citadel config
Sopelka Botnet - Injects • 2FA
Sopelka Botnet - MyCoolSMS • Using API to send SMS to the victims • “Executive” accounts • Three known users: smshumor/danieliv/hgm
Sopelka Botnet – smshumor • Used in Sopelka1/2 campaigns (May) – From March to July – Some tests performed in March and April – FonYou virtual numbers for testing (Spain) – URIs with links to .jad (5.1%) and .apk (94.9%) – “BancoMovil” (99%) as sender • Also “SecureInfo” and “MobilBank” – 2407 SMS sent • 240 €
Sopelka Botnet – danieliv • Feodo / Tatanga campaigns – July and August – Just .apk (76%) and .jad (24%) again – Sent to Germany / Italy / Netherlands mostly – 574 SMS • 99.8€
Sopelka Botnet - hgm • Active since end of July – Heavily used during Sopelka3 campaign (Sept) – SMS sent to Spanish and German phones – Also links to .sis (10%) – “TOCCO” as sender – Internal communication – 1162 SMS • 188€
Sopelka Botnet – Mobile apps • Mobile components known since 2010 – Android • 19th of July 2012 – BlackBerry • 20th of August 2012 – Symbian • 9th and 20th of August 2012 • Same admin phone numbers – Swedish virtual numbers • +46769436094 • +46769436073
Sopelka Botnet – Mobile apps • Symbian certificates  mail (test)
Sopelka Botnet – Mobile apps • Symbian certificates  mail (campaign)
Sopelka Botnet – Banking panel • Russian + English
Sopelka Botnet – Banking panel • Commands (injects)
Sopelka Botnet – Banking panel • Commands (injects) – Server side  Not all implemented • getinfo: gets info from the server, even transfers • newdate: new transfer • has: checks if that info exists in the database • getvalue: obtain some stored data like codes card • log: just logging
Sopelka Botnet – Banking panel • Stolen data – At least 9,000 banking users – Configs • 60% affects to Spanish entities • 15% affects to German entities • 15% affects to Italian entities • The rest to Netherlands and Money Transfers – Injects against more than 30 companies • Found data of 5 Spanish and 2 German – The campaignDir directory separates campaigns
Sopelka Botnet – Banking panel CampaignDir First use date Last use date Total use /decit/ 2012-07-24 2012-09-19 30% /replace_hgsdonf/ 2012-05-04 2012-09-20 27% /fixan/ 2012-05-21 2012-09-06 19% /foxes/ 2012-05-21 2012-07-07 14% /fixit/ 2012-06-26 2012-08-15 5% /denew/ 2012-07-24 2012-09-17 4% /replace_zeus/ 2012-05-05 2012-09-18 0.7% /mex/ 2012-09-04 2012-09-20 0.2% /mes/ 2012-09-04 2012-09-19 0.1% /nor/ - - 0% /gni/ - - 0% • One database per campaign
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers – At least 30 domains • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers – Complexity level++ – At least 2 domains / 4 hosts (Citadel) • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers – At least 8 domains (proxies) • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers – At least 1 domain • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS – At least 2 domains • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers – At least 13 domains
Sopelka Botnet - Infrastructure • Citadel domains stats (autumn.kz, wet.kz, advia.kz) – IPs geolocation (05/09/2012) 59% 38% 2% 1% DE ES CH PT IT HK US NL UK AT JP DK IL EG
Sopelka Botnet - Infrastructure • Citadel domains stats – Unique IPs connecting to advia.kz (05/09/2012) 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 DE ES CH PT IT
Sopelka Botnet - Infrastructure • Citadel domains stats – Total unique IPs (01/09/2012 - 07/09/2012) 0 2000 4000 6000 8000 10000 12000 14000 DE ES CH PT IT
Sopelka Botnet - Infrastructure • Feodo – More than 30,000 infections • Italy!! • Tatanga – 3,000 infections aprox. • Germany • Spain
Sopelka Botnet - Infrastructure • Binary updates (Citadel)
Sopelka Botnet - Infrastructure • Binary updates (Citadel)
Sopelka Botnet - Infrastructure • Binary updates (Citadel) – Robocrypt – Styx
Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
Sopelka Botnet - Infrastructure • Internal communication / tests – Messages in English – Some proofs pointing to Manchester • Using same virtual number (hgm) • Using SMS2Email account with Manchester IP • Account data – But payments with Russian virtual credit cards…
Sopelka Botnet - Summary • Citadel / Tatanga / Feodo • Since April to end of September 2012 • Injects + Mobile component (apk, jad, sis) – No automatic transfers • 4 European countries affected • High infection level • Russian / English banking panel • Different nationalities group (?)
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families – ZeuS – SpyEye – Carberp • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack – Android – BlackBerry • European banks • 200€ - 250.000€ transactions “…new and very successful variation of the ZITMO Trojan“
Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) – Spain (7) – Germany (6) – Netherlands (3) • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions • 36 million EUR!!
Eurograbber • It smells like Sopelka…
Eurograbber • It smells like Sopelka…
Eurograbber • Different malware families – ZeuS Citadel – SpyEye Tatanga / Hermes – Feodo / Bugat / Cridex – Carberp? • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack Same ZitMo in 2010 – Android – BlackBerry – Symbian “…new and very successful variation of the ZITMO Trojan“ “…Mobile version of Eurograbber Trojan”
Eurograbber • New ZitMo attack Same ZitMo in 2010 “…new and very successful variation of the ZITMO Trojan“
Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) (14) – Spain (7) (16) – Germany (6) (3) – Netherlands (3) (1) • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • 200€ - 250.000€ transactions
Eurograbber • 36 million EUR WTF??!!
Eurograbber • 36 million EUR WTF??!! 2012-07-24 03:50:58 xxxxx_4179183 21.038,54 € 2012-07-23 22:43:56 xxxxx_1370498 14.984,62 € 2012-07-23 14:04:36 xxxxx_2812717 10.112,18 € 2012-07-23 13:45:45 xxxxx_1068462 31.339,07 € 2012-07-22 08:37:09 xxxxx_2887226 85.602,18 € 2012-07-22 08:23:44 xxxxx_2629431 223.036,12 € 2012-07-22 02:31:02 xxxxx_1029564 38.506,79 €
Eurograbber • “Once the Eurograbber Trojans are installed on the bank customer’s computer and mobile phone, the malware lays dormant until the next time the customer accesses their bank account. ” • “Immediately upon a bank customer’s login, the cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers.”
Eurograbber • “…the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information”
Conclusions • Sopelka is an interesting botnet – 3 malware families and only one banking panel – High infection level – Mobile components – Internal communication • Eurograbber is just marketing – With some technical details – Sales/Marketing >>>> Solutions/Collaboration • Critical and analytical mind against hypes
Agradecimientos • S21sec e-crime • Fox-IT Cybercrime • Shadowserver & Abuse.ch • ING Direct Spain (Alex!) • …
Questions?
Thanks!! Mikel Gastesi @mgastesi Jose Miguel Esparza @EternalTodo

Recomendados

Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaDWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaIDATE DigiWorld
 
04 tendencias de la union europea sector ito
04 tendencias de la union europea sector ito04 tendencias de la union europea sector ito
04 tendencias de la union europea sector itoProColombia
 
Web 2.0 & cyworld
Web 2.0 & cyworldWeb 2.0 & cyworld
Web 2.0 & cyworldisanox98
 
IoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryIoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryir. Carmelo Zaccone
 
The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar Fran Strajnar
 
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock
 

Recomendados

Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaDWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaIDATE DigiWorld
 
04 tendencias de la union europea sector ito
04 tendencias de la union europea sector ito04 tendencias de la union europea sector ito
04 tendencias de la union europea sector itoProColombia
 
Web 2.0 & cyworld
Web 2.0 & cyworldWeb 2.0 & cyworld
Web 2.0 & cyworldisanox98
 
IoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryIoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryir. Carmelo Zaccone
 
The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar Fran Strajnar
 
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock
 
[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptxDataScienceConferenc1
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionRakuten Group, Inc.
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OSAli Spivak
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007David L. Kreider, Esq. (???)
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1ashk4n
 
Skolkovo 2 blackberry
Skolkovo 2 blackberrySkolkovo 2 blackberry
Skolkovo 2 blackberryAlbert Yefimov
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Manu Arjó
 
Progress next iot_pelegri
Progress next iot_pelegriProgress next iot_pelegri
Progress next iot_pelegriEduardo Pelegri-Llopart
 
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenDeep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenGetting value from IoT, Integration and Data Analytics
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective" dapaasproject
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012webalig
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Raphael Rollier
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...mfrancis
 
The Future of the Connected Living Room
The Future of the Connected Living RoomThe Future of the Connected Living Room
The Future of the Connected Living RoomNextMarket Insights
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Mais conteúdo relacionado

Semelhante a Sopelka VS Eurograbber - Really 36 million EUR?

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionRakuten Group, Inc.
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OSAli Spivak
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007David L. Kreider, Esq. (???)
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1ashk4n
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Manu Arjó
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective" dapaasproject
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012webalig
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Raphael Rollier
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...mfrancis
 
The Future of the Connected Living Room
The Future of the Connected Living RoomThe Future of the Connected Living Room
The Future of the Connected Living RoomNextMarket Insights
 

Semelhante a Sopelka VS Eurograbber - Really 36 million EUR? (20)

[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih Dekat
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OS
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1
 
Skolkovo 2 blackberry
Skolkovo 2 blackberrySkolkovo 2 blackberry
Skolkovo 2 blackberry
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010
 
Progress next iot_pelegri
Progress next iot_pelegriProgress next iot_pelegri
Progress next iot_pelegri
 
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenDeep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective"
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
 
The Future of the Connected Living Room
The Future of the Connected Living RoomThe Future of the Connected Living Room
The Future of the Connected Living Room
 

Último

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 

Último (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 

Sopelka VS Eurograbber - Really 36 million EUR?

  • 1. Sopelka VS Eurograbber Really 36 million EUR?? Jose Miguel Esparza Mikel Gastesi @EternalTodo @mgastesi
  • 2. Who are these geeks? • Mikel Gastesi – S21sec Advanced Cybersecurity Services • Jose Miguel Esparza – ex-S21 – Fox-IT Cybercrime
  • 3. Agenda • Introduction • Sopelka Botnet • Eurograbber • Conclusions
  • 4. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services
  • 5. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really?
  • 6. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really? – Eurograbber – 36 million EUR??!!
  • 7. 3 botnets and 1 panel? WTF??? Trojan C&C Config URLs, etc Injects
  • 8. 3 botnets and 1 panel? WTF??? Trojan C&C 2nd C&C Config URLs, etc Injects
  • 11. Sopelka Botnet - Campaigns Campaign Date Trojan Path Countries Sopelka1 01/05 30/05 Citadel 1.3.4.0 /sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin ES,DE, NL Sopelka2 01/05 30/05 Citadel 1.3.4.0 /sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin ES Tatanga 15/06 15/07 Tatanga /sec/g.php IT, ES, DE, NL Feodo 15/06 15/07 Feodo /zb/v_01_a/in/cp.php ES,NL, DE, IT Sopelka3 15/08 24/09 Citadel 1.3.4.5 /sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin ES, DE
  • 12. Sopelka Botnet – Infection (I) • Exploit Kit: BlackHole
  • 13. Sopelka Botnet – Infection (II) • SPAM
  • 14. Sopelka Botnet - Injects • Minimal HTML code in the config file – External Javascript files – One file per affected entity – Downloading via PHP file • https://domain.com/dir/get.php/campaignDir/?name =inject.js – Same technique used in the 3 malware families – Tatanga URL (Injects server?) • x.php?cmdid=8&gettype=js&id=inyeccion.js&uid=0000
  • 15. Sopelka Botnet - Injects • Citadel • Tatanga
  • 16. Sopelka Botnet - Injects • Tatanga strings in a Citadel config
  • 17. Sopelka Botnet - Injects • 2FA
  • 18. Sopelka Botnet - MyCoolSMS • Using API to send SMS to the victims • “Executive” accounts • Three known users: smshumor/danieliv/hgm
  • 19. Sopelka Botnet – smshumor • Used in Sopelka1/2 campaigns (May) – From March to July – Some tests performed in March and April – FonYou virtual numbers for testing (Spain) – URIs with links to .jad (5.1%) and .apk (94.9%) – “BancoMovil” (99%) as sender • Also “SecureInfo” and “MobilBank” – 2407 SMS sent • 240 €
  • 20. Sopelka Botnet – danieliv • Feodo / Tatanga campaigns – July and August – Just .apk (76%) and .jad (24%) again – Sent to Germany / Italy / Netherlands mostly – 574 SMS • 99.8€
  • 21. Sopelka Botnet - hgm • Active since end of July – Heavily used during Sopelka3 campaign (Sept) – SMS sent to Spanish and German phones – Also links to .sis (10%) – “TOCCO” as sender – Internal communication – 1162 SMS • 188€
  • 22. Sopelka Botnet – Mobile apps • Mobile components known since 2010 – Android • 19th of July 2012 – BlackBerry • 20th of August 2012 – Symbian • 9th and 20th of August 2012 • Same admin phone numbers – Swedish virtual numbers • +46769436094 • +46769436073
  • 23. Sopelka Botnet – Mobile apps • Symbian certificates  mail (test)
  • 24. Sopelka Botnet – Mobile apps • Symbian certificates  mail (campaign)
  • 25. Sopelka Botnet – Banking panel • Russian + English
  • 26. Sopelka Botnet – Banking panel • Commands (injects)
  • 27. Sopelka Botnet – Banking panel • Commands (injects) – Server side  Not all implemented • getinfo: gets info from the server, even transfers • newdate: new transfer • has: checks if that info exists in the database • getvalue: obtain some stored data like codes card • log: just logging
  • 28. Sopelka Botnet – Banking panel • Stolen data – At least 9,000 banking users – Configs • 60% affects to Spanish entities • 15% affects to German entities • 15% affects to Italian entities • The rest to Netherlands and Money Transfers – Injects against more than 30 companies • Found data of 5 Spanish and 2 German – The campaignDir directory separates campaigns
  • 29. Sopelka Botnet – Banking panel CampaignDir First use date Last use date Total use /decit/ 2012-07-24 2012-09-19 30% /replace_hgsdonf/ 2012-05-04 2012-09-20 27% /fixan/ 2012-05-21 2012-09-06 19% /foxes/ 2012-05-21 2012-07-07 14% /fixit/ 2012-06-26 2012-08-15 5% /denew/ 2012-07-24 2012-09-17 4% /replace_zeus/ 2012-05-05 2012-09-18 0.7% /mex/ 2012-09-04 2012-09-20 0.2% /mes/ 2012-09-04 2012-09-19 0.1% /nor/ - - 0% /gni/ - - 0% • One database per campaign
  • 30. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 31. Sopelka Botnet - Infrastructure • Trojan servers – At least 30 domains • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 32. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers – Complexity level++ – At least 2 domains / 4 hosts (Citadel) • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 33. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers – At least 8 domains (proxies) • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 34. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers – At least 1 domain • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 35. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS – At least 2 domains • Send/Receive SMS providers • Mobile components servers
  • 36. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 37. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers – At least 13 domains
  • 38. Sopelka Botnet - Infrastructure • Citadel domains stats (autumn.kz, wet.kz, advia.kz) – IPs geolocation (05/09/2012) 59% 38% 2% 1% DE ES CH PT IT HK US NL UK AT JP DK IL EG
  • 39. Sopelka Botnet - Infrastructure • Citadel domains stats – Unique IPs connecting to advia.kz (05/09/2012) 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 DE ES CH PT IT
  • 40. Sopelka Botnet - Infrastructure • Citadel domains stats – Total unique IPs (01/09/2012 - 07/09/2012) 0 2000 4000 6000 8000 10000 12000 14000 DE ES CH PT IT
  • 41. Sopelka Botnet - Infrastructure • Feodo – More than 30,000 infections • Italy!! • Tatanga – 3,000 infections aprox. • Germany • Spain
  • 42. Sopelka Botnet - Infrastructure • Binary updates (Citadel)
  • 43. Sopelka Botnet - Infrastructure • Binary updates (Citadel)
  • 44. Sopelka Botnet - Infrastructure • Binary updates (Citadel) – Robocrypt – Styx
  • 45. Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
  • 46.
  • 47. Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
  • 48. Sopelka Botnet - Infrastructure • Internal communication / tests – Messages in English – Some proofs pointing to Manchester • Using same virtual number (hgm) • Using SMS2Email account with Manchester IP • Account data – But payments with Russian virtual credit cards…
  • 49. Sopelka Botnet - Summary • Citadel / Tatanga / Feodo • Since April to end of September 2012 • Injects + Mobile component (apk, jad, sis) – No automatic transfers • 4 European countries affected • High infection level • Russian / English banking panel • Different nationalities group (?)
  • 57. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 58. Eurograbber • Different malware families – ZeuS – SpyEye – Carberp • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 59. Eurograbber • Different malware families • New ZitMo attack – Android – BlackBerry • European banks • 200€ - 250.000€ transactions “…new and very successful variation of the ZITMO Trojan“
  • 60. Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) – Spain (7) – Germany (6) – Netherlands (3) • 200€ - 250.000€ transactions
  • 61. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 62. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions • 36 million EUR!!
  • 63. Eurograbber • It smells like Sopelka…
  • 64. Eurograbber • It smells like Sopelka…
  • 65. Eurograbber • Different malware families – ZeuS Citadel – SpyEye Tatanga / Hermes – Feodo / Bugat / Cridex – Carberp? • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 66. Eurograbber • Different malware families • New ZitMo attack Same ZitMo in 2010 – Android – BlackBerry – Symbian “…new and very successful variation of the ZITMO Trojan“ “…Mobile version of Eurograbber Trojan”
  • 67. Eurograbber • New ZitMo attack Same ZitMo in 2010 “…new and very successful variation of the ZITMO Trojan“
  • 68. Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) (14) – Spain (7) (16) – Germany (6) (3) – Netherlands (3) (1) • 200€ - 250.000€ transactions
  • 69. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 70. Eurograbber • 200€ - 250.000€ transactions
  • 72. Eurograbber • 36 million EUR WTF??!! 2012-07-24 03:50:58 xxxxx_4179183 21.038,54 € 2012-07-23 22:43:56 xxxxx_1370498 14.984,62 € 2012-07-23 14:04:36 xxxxx_2812717 10.112,18 € 2012-07-23 13:45:45 xxxxx_1068462 31.339,07 € 2012-07-22 08:37:09 xxxxx_2887226 85.602,18 € 2012-07-22 08:23:44 xxxxx_2629431 223.036,12 € 2012-07-22 02:31:02 xxxxx_1029564 38.506,79 €
  • 73. Eurograbber • “Once the Eurograbber Trojans are installed on the bank customer’s computer and mobile phone, the malware lays dormant until the next time the customer accesses their bank account. ” • “Immediately upon a bank customer’s login, the cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers.”
  • 74. Eurograbber • “…the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information”
  • 75. Conclusions • Sopelka is an interesting botnet – 3 malware families and only one banking panel – High infection level – Mobile components – Internal communication • Eurograbber is just marketing – With some technical details – Sales/Marketing >>>> Solutions/Collaboration • Critical and analytical mind against hypes
  • 76. Agradecimientos • S21sec e-crime • Fox-IT Cybercrime • Shadowserver & Abuse.ch • ING Direct Spain (Alex!) • …