SlideShare ist ein Scribd-Unternehmen logo

Sopelka VS Eurograbber - Really 36 million EUR?

J
Jose Miguel Esparza

Sopelka botnet started life in May 2012 and was taken down by end of September of past year. This botnet was especial because it was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel, sending data to the same panel. Its main objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also The Netherlands and Italy. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones to bypass two factor authentication. In December 2012 a "new" banking malware report was published, claiming that this trojan had stolen more than 36 million EUR from different European banks. This report and, above all, the stolen amounts were quickly published everywhere, but, in fact, this incident had a lot in common with Sopelka botnet and some details needed to be explained...really 36 million EUR?

TechnologieBusiness
1 von 78
Sopelka VS Eurograbber Really 36 million EUR?? Jose Miguel Esparza Mikel Gastesi @EternalTodo @mgastesi
Who are these geeks? • Mikel Gastesi – S21sec Advanced Cybersecurity Services • Jose Miguel Esparza – ex-S21 – Fox-IT Cybercrime
Agenda • Introduction • Sopelka Botnet • Eurograbber • Conclusions
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really?
Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really? – Eurograbber – 36 million EUR??!!
3 botnets and 1 panel? WTF??? Trojan C&C Config URLs, etc Injects
3 botnets and 1 panel? WTF??? Trojan C&C 2nd C&C Config URLs, etc Injects
Example 1 – N
Example 1 – N
Sopelka Botnet - Campaigns Campaign Date Trojan Path Countries Sopelka1 01/05 30/05 Citadel 1.3.4.0 /sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin ES,DE, NL Sopelka2 01/05 30/05 Citadel 1.3.4.0 /sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin ES Tatanga 15/06 15/07 Tatanga /sec/g.php IT, ES, DE, NL Feodo 15/06 15/07 Feodo /zb/v_01_a/in/cp.php ES,NL, DE, IT Sopelka3 15/08 24/09 Citadel 1.3.4.5 /sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin ES, DE
Sopelka Botnet – Infection (I) • Exploit Kit: BlackHole
Sopelka Botnet – Infection (II) • SPAM
Sopelka Botnet - Injects • Minimal HTML code in the config file – External Javascript files – One file per affected entity – Downloading via PHP file • https://domain.com/dir/get.php/campaignDir/?name =inject.js – Same technique used in the 3 malware families – Tatanga URL (Injects server?) • x.php?cmdid=8&gettype=js&id=inyeccion.js&uid=0000
Sopelka Botnet - Injects • Citadel • Tatanga
Sopelka Botnet - Injects • Tatanga strings in a Citadel config
Sopelka Botnet - Injects • 2FA
Sopelka Botnet - MyCoolSMS • Using API to send SMS to the victims • “Executive” accounts • Three known users: smshumor/danieliv/hgm
Sopelka Botnet – smshumor • Used in Sopelka1/2 campaigns (May) – From March to July – Some tests performed in March and April – FonYou virtual numbers for testing (Spain) – URIs with links to .jad (5.1%) and .apk (94.9%) – “BancoMovil” (99%) as sender • Also “SecureInfo” and “MobilBank” – 2407 SMS sent • 240 €
Sopelka Botnet – danieliv • Feodo / Tatanga campaigns – July and August – Just .apk (76%) and .jad (24%) again – Sent to Germany / Italy / Netherlands mostly – 574 SMS • 99.8€
Sopelka Botnet - hgm • Active since end of July – Heavily used during Sopelka3 campaign (Sept) – SMS sent to Spanish and German phones – Also links to .sis (10%) – “TOCCO” as sender – Internal communication – 1162 SMS • 188€
Sopelka Botnet – Mobile apps • Mobile components known since 2010 – Android • 19th of July 2012 – BlackBerry • 20th of August 2012 – Symbian • 9th and 20th of August 2012 • Same admin phone numbers – Swedish virtual numbers • +46769436094 • +46769436073
Sopelka Botnet – Mobile apps • Symbian certificates  mail (test)
Sopelka Botnet – Mobile apps • Symbian certificates  mail (campaign)
Sopelka Botnet – Banking panel • Russian + English
Sopelka Botnet – Banking panel • Commands (injects)
Sopelka Botnet – Banking panel • Commands (injects) – Server side  Not all implemented • getinfo: gets info from the server, even transfers • newdate: new transfer • has: checks if that info exists in the database • getvalue: obtain some stored data like codes card • log: just logging
Sopelka Botnet – Banking panel • Stolen data – At least 9,000 banking users – Configs • 60% affects to Spanish entities • 15% affects to German entities • 15% affects to Italian entities • The rest to Netherlands and Money Transfers – Injects against more than 30 companies • Found data of 5 Spanish and 2 German – The campaignDir directory separates campaigns
Sopelka Botnet – Banking panel CampaignDir First use date Last use date Total use /decit/ 2012-07-24 2012-09-19 30% /replace_hgsdonf/ 2012-05-04 2012-09-20 27% /fixan/ 2012-05-21 2012-09-06 19% /foxes/ 2012-05-21 2012-07-07 14% /fixit/ 2012-06-26 2012-08-15 5% /denew/ 2012-07-24 2012-09-17 4% /replace_zeus/ 2012-05-05 2012-09-18 0.7% /mex/ 2012-09-04 2012-09-20 0.2% /mes/ 2012-09-04 2012-09-19 0.1% /nor/ - - 0% /gni/ - - 0% • One database per campaign
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers – At least 30 domains • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers – Complexity level++ – At least 2 domains / 4 hosts (Citadel) • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers – At least 8 domains (proxies) • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers – At least 1 domain • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS – At least 2 domains • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers – At least 13 domains
Sopelka Botnet - Infrastructure • Citadel domains stats (autumn.kz, wet.kz, advia.kz) – IPs geolocation (05/09/2012) 59% 38% 2% 1% DE ES CH PT IT HK US NL UK AT JP DK IL EG
Sopelka Botnet - Infrastructure • Citadel domains stats – Unique IPs connecting to advia.kz (05/09/2012) 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 DE ES CH PT IT
Sopelka Botnet - Infrastructure • Citadel domains stats – Total unique IPs (01/09/2012 - 07/09/2012) 0 2000 4000 6000 8000 10000 12000 14000 DE ES CH PT IT
Sopelka Botnet - Infrastructure • Feodo – More than 30,000 infections • Italy!! • Tatanga – 3,000 infections aprox. • Germany • Spain
Sopelka Botnet - Infrastructure • Binary updates (Citadel)
Sopelka Botnet - Infrastructure • Binary updates (Citadel)
Sopelka Botnet - Infrastructure • Binary updates (Citadel) – Robocrypt – Styx
Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
Sopelka Botnet - Infrastructure • Internal communication / tests – Messages in English – Some proofs pointing to Manchester • Using same virtual number (hgm) • Using SMS2Email account with Manchester IP • Account data – But payments with Russian virtual credit cards…
Sopelka Botnet - Summary • Citadel / Tatanga / Feodo • Since April to end of September 2012 • Injects + Mobile component (apk, jad, sis) – No automatic transfers • 4 European countries affected • High infection level • Russian / English banking panel • Different nationalities group (?)
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families – ZeuS – SpyEye – Carberp • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack – Android – BlackBerry • European banks • 200€ - 250.000€ transactions “…new and very successful variation of the ZITMO Trojan“
Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) – Spain (7) – Germany (6) – Netherlands (3) • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions • 36 million EUR!!
Eurograbber • It smells like Sopelka…
Eurograbber • It smells like Sopelka…
Eurograbber • Different malware families – ZeuS Citadel – SpyEye Tatanga / Hermes – Feodo / Bugat / Cridex – Carberp? • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack Same ZitMo in 2010 – Android – BlackBerry – Symbian “…new and very successful variation of the ZITMO Trojan“ “…Mobile version of Eurograbber Trojan”
Eurograbber • New ZitMo attack Same ZitMo in 2010 “…new and very successful variation of the ZITMO Trojan“
Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) (14) – Spain (7) (16) – Germany (6) (3) – Netherlands (3) (1) • 200€ - 250.000€ transactions
Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
Eurograbber • 200€ - 250.000€ transactions
Eurograbber • 36 million EUR WTF??!!
Eurograbber • 36 million EUR WTF??!! 2012-07-24 03:50:58 xxxxx_4179183 21.038,54 € 2012-07-23 22:43:56 xxxxx_1370498 14.984,62 € 2012-07-23 14:04:36 xxxxx_2812717 10.112,18 € 2012-07-23 13:45:45 xxxxx_1068462 31.339,07 € 2012-07-22 08:37:09 xxxxx_2887226 85.602,18 € 2012-07-22 08:23:44 xxxxx_2629431 223.036,12 € 2012-07-22 02:31:02 xxxxx_1029564 38.506,79 €
Eurograbber • “Once the Eurograbber Trojans are installed on the bank customer’s computer and mobile phone, the malware lays dormant until the next time the customer accesses their bank account. ” • “Immediately upon a bank customer’s login, the cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers.”
Eurograbber • “…the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information”
Conclusions • Sopelka is an interesting botnet – 3 malware families and only one banking panel – High infection level – Mobile components – Internal communication • Eurograbber is just marketing – With some technical details – Sales/Marketing >>>> Solutions/Collaboration • Critical and analytical mind against hypes
Agradecimientos • S21sec e-crime • Fox-IT Cybercrime • Shadowserver & Abuse.ch • ING Direct Spain (Alex!) • …
Questions?
Thanks!! Mikel Gastesi @mgastesi Jose Miguel Esparza @EternalTodo

Empfohlen

Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaDWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaIDATE DigiWorld
 
04 tendencias de la union europea sector ito
04 tendencias de la union europea sector ito04 tendencias de la union europea sector ito
04 tendencias de la union europea sector itoProColombia
 
Web 2.0 & cyworld
Web 2.0 & cyworldWeb 2.0 & cyworld
Web 2.0 & cyworldisanox98
 
IoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryIoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryir. Carmelo Zaccone
 
The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar Fran Strajnar
 
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock
 

Empfohlen

Travelling to the far side of Andromeda
Travelling to the far side of AndromedaTravelling to the far side of Andromeda
Travelling to the far side of AndromedaJose Miguel Esparza
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat ReviewESET
 
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaDWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, Matooma
DWS16 - Connected Things Forum - IoT Frédéric De Mont-Serrat, MatoomaIDATE DigiWorld
 
04 tendencias de la union europea sector ito
04 tendencias de la union europea sector ito04 tendencias de la union europea sector ito
04 tendencias de la union europea sector itoProColombia
 
Web 2.0 & cyworld
Web 2.0 & cyworldWeb 2.0 & cyworld
Web 2.0 & cyworldisanox98
 
IoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryIoT overview for IMTC Forum 20th anniversary
IoT overview for IMTC Forum 20th anniversaryir. Carmelo Zaccone
 
The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar The Future of Tokens - Fran Strajnar
The Future of Tokens - Fran Strajnar Fran Strajnar
 
ArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock Presents 5 Winning Factors to Building a Successful DApp
ArcBlock Presents 5 Winning Factors to Building a Successful DAppArcBlock
 
[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptxDataScienceConferenc1
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionRakuten Group, Inc.
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OSAli Spivak
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007David L. Kreider, Esq. (???)
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1ashk4n
 
Skolkovo 2 blackberry
Skolkovo 2 blackberrySkolkovo 2 blackberry
Skolkovo 2 blackberryAlbert Yefimov
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Manu Arjó
 
Progress next iot_pelegri
Progress next iot_pelegriProgress next iot_pelegri
Progress next iot_pelegriEduardo Pelegri-Llopart
 
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenDeep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenGetting value from IoT, Integration and Data Analytics
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective" dapaasproject
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012webalig
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Raphael Rollier
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...mfrancis
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 

Weitere ähnliche Inhalte

Ähnlich wie Sopelka VS Eurograbber - Really 36 million EUR?

Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatCharles Lim
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionRakuten Group, Inc.
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OSAli Spivak
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud preventionYury Leonychev
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine LearningAvast
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007David L. Kreider, Esq. (???)
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10F _
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandSignalSEC Ltd.
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)André Fucs de Miranda
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1ashk4n
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...Cyber Security Alliance
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Manu Arjó
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective" dapaasproject
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012webalig
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Raphael Rollier
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...mfrancis
 

Ähnlich wie Sopelka VS Eurograbber - Really 36 million EUR? (20)

[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx[DSC Adria 23] Ivan Livic .pptx
[DSC Adria 23] Ivan Livic .pptx
 
Mengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih DekatMengenal ZEUS Botnet Lebih Dekat
Mengenal ZEUS Botnet Lebih Dekat
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Mozilla Firefox OS
Mozilla Firefox OSMozilla Firefox OS
Mozilla Firefox OS
 
How to build corporate size fraud prevention
How to build corporate size fraud preventionHow to build corporate size fraud prevention
How to build corporate size fraud prevention
 
Avast @ Machine Learning
Avast @ Machine LearningAvast @ Machine Learning
Avast @ Machine Learning
 
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
Overview of Telecommunications 2007 -- WIPO 3rd Sept. 2007
 
From russia final_bluehat10
From russia final_bluehat10From russia final_bluehat10
From russia final_bluehat10
 
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, SwitzerlandReversing Mobile - Swiss Cyber Storm 2011, Switzerland
Reversing Mobile - Swiss Cyber Storm 2011, Switzerland
 
New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)New Botnets Trends and Threats (BH Europe 2007)
New Botnets Trends and Threats (BH Europe 2007)
 
Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1Jcj corporate blind overview november 19 2012 1-1
Jcj corporate blind overview november 19 2012 1-1
 
Skolkovo 2 blackberry
Skolkovo 2 blackberrySkolkovo 2 blackberry
Skolkovo 2 blackberry
 
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
ASFWS 2013 - Cryptocat: récents défis en faisant la cryptographie plus facile...
 
Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010Sironta at OpenOffice.org Conference 2010
Sironta at OpenOffice.org Conference 2010
 
Progress next iot_pelegri
Progress next iot_pelegriProgress next iot_pelegri
Progress next iot_pelegri
 
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van AmerongenDeep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
Deep and Dark internet Safari, How to hire a hacker? Robbrecht van Amerongen
 
"Cerved - A business perspective"
"Cerved - A business perspective" "Cerved - A business perspective"
"Cerved - A business perspective"
 
Webali bizdev may2012
Webali bizdev may2012Webali bizdev may2012
Webali bizdev may2012
 
Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018Connected Event - Blockchain 3 05 2018
Connected Event - Blockchain 3 05 2018
 
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
Keynote - OSGi Service Enabler - Peter Möckel, Managing Director T-Labs, Deu...
 

Kürzlich hochgeladen

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Kürzlich hochgeladen (20)

DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Sopelka VS Eurograbber - Really 36 million EUR?

  • 1. Sopelka VS Eurograbber Really 36 million EUR?? Jose Miguel Esparza Mikel Gastesi @EternalTodo @mgastesi
  • 2. Who are these geeks? • Mikel Gastesi – S21sec Advanced Cybersecurity Services • Jose Miguel Esparza – ex-S21 – Fox-IT Cybercrime
  • 3. Agenda • Introduction • Sopelka Botnet • Eurograbber • Conclusions
  • 4. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services
  • 5. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really?
  • 6. Introduction • Yet another botnet • With some curiosities – 3 malware families and the same banking panel – High level of infections – Using third party services • Yet another botnet, really? – Eurograbber – 36 million EUR??!!
  • 7. 3 botnets and 1 panel? WTF??? Trojan C&C Config URLs, etc Injects
  • 8. 3 botnets and 1 panel? WTF??? Trojan C&C 2nd C&C Config URLs, etc Injects
  • 11. Sopelka Botnet - Campaigns Campaign Date Trojan Path Countries Sopelka1 01/05 30/05 Citadel 1.3.4.0 /sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin ES,DE, NL Sopelka2 01/05 30/05 Citadel 1.3.4.0 /sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin ES Tatanga 15/06 15/07 Tatanga /sec/g.php IT, ES, DE, NL Feodo 15/06 15/07 Feodo /zb/v_01_a/in/cp.php ES,NL, DE, IT Sopelka3 15/08 24/09 Citadel 1.3.4.5 /sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin ES, DE
  • 12. Sopelka Botnet – Infection (I) • Exploit Kit: BlackHole
  • 13. Sopelka Botnet – Infection (II) • SPAM
  • 14. Sopelka Botnet - Injects • Minimal HTML code in the config file – External Javascript files – One file per affected entity – Downloading via PHP file • https://domain.com/dir/get.php/campaignDir/?name =inject.js – Same technique used in the 3 malware families – Tatanga URL (Injects server?) • x.php?cmdid=8&gettype=js&id=inyeccion.js&uid=0000
  • 15. Sopelka Botnet - Injects • Citadel • Tatanga
  • 16. Sopelka Botnet - Injects • Tatanga strings in a Citadel config
  • 17. Sopelka Botnet - Injects • 2FA
  • 18. Sopelka Botnet - MyCoolSMS • Using API to send SMS to the victims • “Executive” accounts • Three known users: smshumor/danieliv/hgm
  • 19. Sopelka Botnet – smshumor • Used in Sopelka1/2 campaigns (May) – From March to July – Some tests performed in March and April – FonYou virtual numbers for testing (Spain) – URIs with links to .jad (5.1%) and .apk (94.9%) – “BancoMovil” (99%) as sender • Also “SecureInfo” and “MobilBank” – 2407 SMS sent • 240 €
  • 20. Sopelka Botnet – danieliv • Feodo / Tatanga campaigns – July and August – Just .apk (76%) and .jad (24%) again – Sent to Germany / Italy / Netherlands mostly – 574 SMS • 99.8€
  • 21. Sopelka Botnet - hgm • Active since end of July – Heavily used during Sopelka3 campaign (Sept) – SMS sent to Spanish and German phones – Also links to .sis (10%) – “TOCCO” as sender – Internal communication – 1162 SMS • 188€
  • 22. Sopelka Botnet – Mobile apps • Mobile components known since 2010 – Android • 19th of July 2012 – BlackBerry • 20th of August 2012 – Symbian • 9th and 20th of August 2012 • Same admin phone numbers – Swedish virtual numbers • +46769436094 • +46769436073
  • 23. Sopelka Botnet – Mobile apps • Symbian certificates  mail (test)
  • 24. Sopelka Botnet – Mobile apps • Symbian certificates  mail (campaign)
  • 25. Sopelka Botnet – Banking panel • Russian + English
  • 26. Sopelka Botnet – Banking panel • Commands (injects)
  • 27. Sopelka Botnet – Banking panel • Commands (injects) – Server side  Not all implemented • getinfo: gets info from the server, even transfers • newdate: new transfer • has: checks if that info exists in the database • getvalue: obtain some stored data like codes card • log: just logging
  • 28. Sopelka Botnet – Banking panel • Stolen data – At least 9,000 banking users – Configs • 60% affects to Spanish entities • 15% affects to German entities • 15% affects to Italian entities • The rest to Netherlands and Money Transfers – Injects against more than 30 companies • Found data of 5 Spanish and 2 German – The campaignDir directory separates campaigns
  • 29. Sopelka Botnet – Banking panel CampaignDir First use date Last use date Total use /decit/ 2012-07-24 2012-09-19 30% /replace_hgsdonf/ 2012-05-04 2012-09-20 27% /fixan/ 2012-05-21 2012-09-06 19% /foxes/ 2012-05-21 2012-07-07 14% /fixit/ 2012-06-26 2012-08-15 5% /denew/ 2012-07-24 2012-09-17 4% /replace_zeus/ 2012-05-05 2012-09-18 0.7% /mex/ 2012-09-04 2012-09-20 0.2% /mes/ 2012-09-04 2012-09-19 0.1% /nor/ - - 0% /gni/ - - 0% • One database per campaign
  • 30. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 31. Sopelka Botnet - Infrastructure • Trojan servers – At least 30 domains • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 32. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers – Complexity level++ – At least 2 domains / 4 hosts (Citadel) • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 33. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers – At least 8 domains (proxies) • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 34. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers – At least 1 domain • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 35. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS – At least 2 domains • Send/Receive SMS providers • Mobile components servers
  • 36. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers
  • 37. Sopelka Botnet - Infrastructure • Trojan servers • DNS servers • Banking panel servers • Injects servers • Servers to send SMS • Send/Receive SMS providers • Mobile components servers – At least 13 domains
  • 38. Sopelka Botnet - Infrastructure • Citadel domains stats (autumn.kz, wet.kz, advia.kz) – IPs geolocation (05/09/2012) 59% 38% 2% 1% DE ES CH PT IT HK US NL UK AT JP DK IL EG
  • 39. Sopelka Botnet - Infrastructure • Citadel domains stats – Unique IPs connecting to advia.kz (05/09/2012) 0 500 1000 1500 2000 2500 3000 3500 4000 4500 5000 DE ES CH PT IT
  • 40. Sopelka Botnet - Infrastructure • Citadel domains stats – Total unique IPs (01/09/2012 - 07/09/2012) 0 2000 4000 6000 8000 10000 12000 14000 DE ES CH PT IT
  • 41. Sopelka Botnet - Infrastructure • Feodo – More than 30,000 infections • Italy!! • Tatanga – 3,000 infections aprox. • Germany • Spain
  • 42. Sopelka Botnet - Infrastructure • Binary updates (Citadel)
  • 43. Sopelka Botnet - Infrastructure • Binary updates (Citadel)
  • 44. Sopelka Botnet - Infrastructure • Binary updates (Citadel) – Robocrypt – Styx
  • 45. Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
  • 46.
  • 47. Sopelka Botnet - Infrastructure • Internal communication / tests – Mobile phone numbers • Virtual numbers – Spain  FonYou – Sweden  MyCoolSMS – United Kingdom  MyCoolSMS • Russian prepaid SIMs (Beeline) – MyCoolSMS – SMS2Email – TextMarketer
  • 48. Sopelka Botnet - Infrastructure • Internal communication / tests – Messages in English – Some proofs pointing to Manchester • Using same virtual number (hgm) • Using SMS2Email account with Manchester IP • Account data – But payments with Russian virtual credit cards…
  • 49. Sopelka Botnet - Summary • Citadel / Tatanga / Feodo • Since April to end of September 2012 • Injects + Mobile component (apk, jad, sis) – No automatic transfers • 4 European countries affected • High infection level • Russian / English banking panel • Different nationalities group (?)
  • 57. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 58. Eurograbber • Different malware families – ZeuS – SpyEye – Carberp • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 59. Eurograbber • Different malware families • New ZitMo attack – Android – BlackBerry • European banks • 200€ - 250.000€ transactions “…new and very successful variation of the ZITMO Trojan“
  • 60. Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) – Spain (7) – Germany (6) – Netherlands (3) • 200€ - 250.000€ transactions
  • 61. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 62. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions • 36 million EUR!!
  • 63. Eurograbber • It smells like Sopelka…
  • 64. Eurograbber • It smells like Sopelka…
  • 65. Eurograbber • Different malware families – ZeuS Citadel – SpyEye Tatanga / Hermes – Feodo / Bugat / Cridex – Carberp? • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 66. Eurograbber • Different malware families • New ZitMo attack Same ZitMo in 2010 – Android – BlackBerry – Symbian “…new and very successful variation of the ZITMO Trojan“ “…Mobile version of Eurograbber Trojan”
  • 67. Eurograbber • New ZitMo attack Same ZitMo in 2010 “…new and very successful variation of the ZITMO Trojan“
  • 68. Eurograbber • Different malware families • New ZitMo attack • European banks – Italy (16) (14) – Spain (7) (16) – Germany (6) (3) – Netherlands (3) (1) • 200€ - 250.000€ transactions
  • 69. Eurograbber • Different malware families • New ZitMo attack • European banks • 200€ - 250.000€ transactions
  • 70. Eurograbber • 200€ - 250.000€ transactions
  • 72. Eurograbber • 36 million EUR WTF??!! 2012-07-24 03:50:58 xxxxx_4179183 21.038,54 € 2012-07-23 22:43:56 xxxxx_1370498 14.984,62 € 2012-07-23 14:04:36 xxxxx_2812717 10.112,18 € 2012-07-23 13:45:45 xxxxx_1068462 31.339,07 € 2012-07-22 08:37:09 xxxxx_2887226 85.602,18 € 2012-07-22 08:23:44 xxxxx_2629431 223.036,12 € 2012-07-22 02:31:02 xxxxx_1029564 38.506,79 €
  • 73. Eurograbber • “Once the Eurograbber Trojans are installed on the bank customer’s computer and mobile phone, the malware lays dormant until the next time the customer accesses their bank account. ” • “Immediately upon a bank customer’s login, the cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers.”
  • 74. Eurograbber • “…the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information”
  • 75. Conclusions • Sopelka is an interesting botnet – 3 malware families and only one banking panel – High infection level – Mobile components – Internal communication • Eurograbber is just marketing – With some technical details – Sales/Marketing >>>> Solutions/Collaboration • Critical and analytical mind against hypes
  • 76. Agradecimientos • S21sec e-crime • Fox-IT Cybercrime • Shadowserver & Abuse.ch • ING Direct Spain (Alex!) • …