Today the Russian MVD and FSB have announced the arrest of eight cybercriminals who have stolen more than 60 million rubles ($2 million USD) from at least ninety victim bank accounts in the charges documented in this case.
The Ministry of Internal Affairs (Ministerstvo Vnutrennikh Del or Министерство внутренних дел) better known as the MVD has a computer crimes unit known as "Department K". In this case they worked together with the Russian Federal Security Service's Center for Information Security. (The Federal Security Service, or FSB for Federal'naya sluzhba bezopasnosti, Федеральная служба безопасности is the equivalent to the FBI in the United States.)
Similar to charges brought in the United States against cyber criminals, the MVD Press Release only documents charges that can be proven beyond any reasonable doubt. The total activities of these criminals are likely to greatly exceed what can be formally charged. The formal charges are significant though.
According to Russian computer forensics and investigations company, Group-IB, the Russian government received assistance in the investigation from Group-IB as well as Dutch company Fox-IT. Group-IB says that the group primarily used the malware families Win32/Carberp and Win32/RDPdor.
The Carberp trojan is a financial crimes trojan that has been said to have "High Damage Potential" by anti-virus companies like Trend Micro. Trend was able to show some interesting statistics about who was infected with at least one version of CARBERP by "sink-holing" the CARBERP Command and Control server. S21Sec also did some great research on how to decrypt Carberp communications.
Carberp has continued to evolve and add functionality beyond simple banking credential theft. More recently Carberp has been used for DDOS attacks and to grant remote control access to infected computers, giving the criminals access to everything on the computer, or the ability to use that computer to mask origins of other attacks.
Department K has been tracking these particular criminals since October of 2011, and says the group was run by two brothers, born in 1983 and 1986. One of those brothers was already a known criminal having a record related to real estate fraud.
This particular gang of eight criminals would gain access to banking credentials and cause money to be electronically transferred to accounts controlled by the criminals. They actually rented office space under the guise of a legal computer company and spent their days taking remote control of compromised computers in order to set up the fraudulent banking transactions. Once the money had been transferred to accounts controlled by the gang, it was withdrawn from a variety of ATM machines in the Moscow area.
The malware was distributed by hacking into popular Internet sites and leaving traps, including the websites of some prominent newspapers.
All of the criminals were arrested simultaneously in cooperation between the MVD and the FSB, from the botnet administrator all the way down to the criminals who made the ATM withdrawals.
If I'm reading the Russian translation correctly, the ringleader is in custody, his elder brother was released on 3 million rubles bond, and the other six are under house arrest.
The charges brought against them were based on three Russian laws:
- Article 272 - "Illegal access to computer information"
- Article 273 - "The creation, use and dissemination of harmful computer programs"
- Article 158 - "Theft"
The hackers could face up to 10 years imprisonment, if convicted.
It is not known at this time how this arrest will impact other use of the CARBERP trojan. The trojan continues to be active, with criminals continuing to take advantage of the lack of enforcement of domain name registration rules, and the gullibility of human computer users. One quick example of each.
One of the domains associated with CARBERP recently was: n9ewpon98euohfe.org
Here is the WHOIS information for that domain:
Registrant name: trgtrf trgtrf
Registrant organization: trgtrf
Registrant street: trgtrf
Registrant state: trgtrf
Registrant postal code: trgtrf
Registrant country: CN
Registrant phone: +86.6857463454
Registrant email: email@example.com
See if you can spot the inaccuracy in that WHOIS data? Did you pass? Of course! It's a Russian phone number (+86) claiming to be in China! Oh, the fact that trgtrf may not be a valid postal code, or name, or address, might also be a hint. Rather strange that this Russian in China chooses to use as his nameserver "Primaryns.kiev.ua" as well.
On the Social Engineering front, Trusteer CEO Amit Klein recently blogged about a Facebook related scam being pushed to users infected with Carberp. In that scam, users were told that their Facebook account was locked, and that they needed to provide a 20 Euro "Ukash Voucher #" to unlock the account:
(click image to visit Trusteer blog article).
Ukash started in the United Kingdom (UK-cash = Ukash?) but now has partnerships with certain mobile phone companies and with Mastercard.