Friday, October 16, 2020

Trickbot on the Ropes Part 2: The QQAAZZ Money Laundering Ring

While shutting down the technical aspects of malware is critical (see Trickbot on the Ropes Part 1), the real disincentive to the criminals is when you hit them hard in the money.  That was the objective of Europol's Operation 2BaGoldMule case against QQAAZZ.   Working with partners in 16 countries, including Latvia, Bulgaria, the United Kingdom, Spain, and Italy, Europol helped to coordinate search warrants being executed at 40 different residences in support of criminal proceedings in the United States, Portugal, and the UK, and Spain.

Europol put out a two-part InfoGraphic as part of their story on the arrests, "20 Arrests in QQAAZZ Multi-Million Money Laundering Case":

 


Infographic: https://www.europol.europa.eu/publications-documents/operation-2bagoldmule

The criminals behind the QQAAZZ money laundering ring received funds from botnet operators, and "tumbled" the funds through a variety of shell companies and crypto-currencies to produce "clean money" keeping a 40% to 50% cut of the funds for themselves.

The U.S. Department of Justice says that QQAAZZ-controlled bank accounts received funds stolen via banking trojans including Dridex, Trickbot, and GozNym malware.  The DOJ action came in two rounds, with the first indictment being unsealed back in October 2019 naming these individuals: 

Aleksejs Trofimovics
a/k/a Aleksejs Trofimovich, Alexey Trofimovich, Aleko Stoyanov Angelov 
Ruslans Nikitenko 
a/k/a Krzysztof Wojciech Lewko, Milen Nikolchev Nikolov, Rafal Zimnoch 
Arturs Zaharevics
a/k/a Piotr Ginelli, Arkadiusz Szuberski 
Deniss Ruseckis
a/k/a Denis Rusetsky, Sevdelin Sevdalinov Atanasov 

These individuals used a collection of shell companies to open a large number of bank accounts in Portugal.  In 2018, I sat in a meeting in London with a handful of the largest banks in the UK and heard for the first time as they shared information with one another that it was a "common" thing that when someone had their bank account hit by Trickbot, a wire transfer would be sent to Portugal!

According to the indictment, Ruslans Nikitenko used his shell company Selbevulte LDA to open accounts at eleven banks in Portugal.  He used the company Colossal Devotion LDA to open accounts at nine additional banks.  Arturs Zaharevics created the shell company Cardinal Gradual Real Estate Unipessoal LDA and used it to open accounts at ten banks in Portugal.  Dennis Ruseckis created Flamingocloud LDA and used it to open accounts at thirteen banks in Portugal!

According to the October 2019 Indictment, more than $1.1 Million USD in wire attempts were made just for the transactions shown below, although in more than half of the cases, the funds were able to be blocked or recovered.

DateVictim BankWire AttemptBeneficiary
07MAR2017Schwab  $75000Aktrofi Services
20SEP2017BOA  $84900Aktrofi Services
26OCT2017JPMorgan Chase  $98780Privelegioasis
29NOV2017American Express $121360Selbevulte
30NOV2017BB&T $72000Privelegioasis
08MAR2018USAA $29500Flamingocloud
08MAR2018USAA $29500Colossal Devotion
21MAR2018BOA $49000Colossal Devotion
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
10APR2018JPMorgan Chase $59426Cardinal Gradual
30AUG2018PNC $99693Selbevulte
14NOV2018BOA $56202Aktrofi Services
14NOV2018BOA $112921Deinis Gorenko
14NOV2018BOA $45830Deinis Gorenko
06DEC2018    JPMorgan Chase $114652Flamingocloud












In between that indictment and the current one, there was a bit more publicity back in May 2020 when "Plinofficial", a Russian scam-rapper, whose real name was Maksim Boiko, was arrested by the FBI when he landed at the Miami airport, as was covered by the BBC and others at the time. 

In the more recent action, the indictment of the US Western District of Pennsylvania was just unsealed, having been filed on 29SEP2020.  This indictment names an additional group of money launderers:

  • Nika Nazarovi - of Georgia - aka Nika Utiashvili, Mihail Atanasov, Stefan Trifonov Zhelyazkov
  • Martins Ignatjevs - of Latvia - aka Yodan Angelov Stoyanov, Aleksander Tihomirov Yanev, Svetlin Iliyanov Asenov 
  • Aleksandre Kobiashvili - of Georgia - aka Antonios Nastas, Ognyan Krasimirov Trifonov
  • Dmitrijs Kuzminovs - of Latvia - aka Parush Gospodinov
  • Valentins Sevecs - of Latvia - aka Marek Jaswilko, Rafal Szczytko
  • Dmitrijs Slapins - of Latvia 
  • Armens Vecels - of Latvia 
  • Artiom Capacli - of Bulgaria
  • Ion Cebanu  - of Romania
  • TOmass Trescinkas - of Latvia 
  • Ruslans Sarapovs - of Latvia 
  • Silvestrs Tamenieks - of Latvia 
  • Abdelhak Hamdaoui  - of Latvia 
  • Petar Iliev - of Belgium 

it says that "in total, cybercriminals attempted to transfer tens of millions of dollars to QQAAZZ-controlled accounts, and QQAAZZ successfully laundered millions of dollars stolen from victims around the world."

The indictment breaks the criminals into three tiers: 

Leaders 
Mid-level Managers 
and Money Mules 

In the September 2020 indictment, some of the victim companies, whose bank accounts were used to wire money to European shell companies created by those named above, included: 

  1. a technology company in Windsor, CT 
  2. an Orthodox Jewish Synagogue in Brooklyn, NY 
  3. a medical device manufacturer in York, Pennsylvania
  4. an individual in Montclair, NJ 
  5. an architecture firm in Miami, FL 
  6. an individual in Acworth, GA
  7. an automative parts manufacturer in Livonia, MI 
  8. a homebuilder in Skokie, IL 
  9. an individual in Carollton, TX 
  10. an individual in Villa Park, CA.  
Dozens of additional US victims are identified, but it is unknown the total number of victims whose funds were stolen, or attempted to be stolen through these schemes. 

Those named in the two indictments received funds to shell company bank accounts including at least 147 accounts opened at banks in Portugal, as well as Germany, Spain, and the United Kingdom. 

The indictment provides a partial list of the funds transfers which occurred between US-based victims and accounts controlled by these criminals. 




In order to accomplish this, members of the QQAAZZ cash-out system advertised their services on "exclusive, underground, Russian-speaking, online cybercriminal forums."   Some of these advertisements on a single forum cost as much as $10,000 per year!  

Some of the online monikers used by QQAAZZ members in these forums included: 

qqaazz            globalqqaazz            markdevido 
richrich          donaldtrump55         manuel           krakadil                     
kalilinux         ritchie                      totala              totala22 

These forum exchanges helped to establish relationships between the malware gangs and the money launderers.  For example, QQAAZZ members using the name "richrich" chatted with members of the GozNym malware crime group about being a "drop handler" in the UK and Europe and having many accounts that could be used for money laundering, including an account in the name "Yaromu Gida" at a bank in Turkey.  That account received $176,500 in funds stolen from the medical device manufactuer in the Western District of Pennsylvania. 

"DonaldTrump55" provided bank account information for a drop belonging to Ruslans Nikitentko at a bank in Portugal opened using a counterfeit Polish identity card in the name Krzysztof Wojciech Lewko.  The account later received $121,360 from a US victim. 





Trickbot On The Ropes: Microsoft's Case Against Trickbot

 Trickbot is having a truly bad time this month!  While as of today, Trickbot binaries are being delivered by Emotet, there is every sign that they are struggling.   Emotet's daily activities are best documented by a team of researchers using the collective identity "Cryptolaemus" and sharing news of IOCs and URLs on their website: https://paste.cryptolaemus.com/.  With no activity from October 6th to 12th, there was every indication a "change" was coming, and beginning on 14OCT2020, researchers such as our friends at @CofenseLabs and @Malware_Traffic are both reporting that Trickbot is now being delivered by the Emotet spam-sending botnet.  

This post examines Microsoft's case against Trickbot. However, there are also reports of U.S. Cyber Command taking a role in disrupting Trickbot, as reported by the Washington Post and security journalist Brian Krebs. In the "take-down" attempt, as described by Krebs, the bot began propagating to other bots that its new controller IP address should be "127.0.0.1:1" - which would result in the bot-infected computer stopping communication with the criminals.  There was also an attempt to flood the criminals with millions of fake "stolen credentials" hoping to confuse their ability to sort out "true victims."  As Krebs also reported, the fabulous Trickbot C&C tracker at FEODOTracker is reporting many live C&C addresses for Trickbot.  (Also see Trickbot On the Ropes Part 2: the QQAAZZ Money Laundering Ring.) 

The Microsoft Trickbot Case

On October 12, 2020, Microsoft announced "New action to combat ransomware ahead of U.S. election" describing Trickbot as malware that "has infected over a million computing devices around the world since late 2016." By filing a lawsuit in the U.S. District Court for the Eastern District of Virginia, Microsoft received permission for a Temporary Restraining Order (TRO).  The Digital Crimes Unit (much love, guys!) worked with the FS-ISAC, ESET, Symantec, the Microsoft Defender team, NTT, and Lumen's Black Lotus Lab and others to lay out their case. 

The legal documents surrounding the case are on the Microsoft website: NoticeOfPleadings.com/trickbot/

Microsoft and the FS-ISAC bring the case with a 60 page complaint, demonstrating harm to their respective customers in the Eastern District of Virginia, and demanding that "John Doe 1" and "John Doe 2" appear in court for a Jury Trial.

They charge them with violations of: 

  • The Copyright Act - 17 USC § § 101 
  • The Computer Fraud and Abuse Act 18 USC § 1030
  • The Electronic Communications Privacy Act 18 USC § 2701
  • Trademark Infringement under the Lanham Act 15 USC § 1114
  • False Designation of Origin under the Lanham Act 15 USC § 1125(a)
  • Trademark Dilution under the Lanham Act 15 USC § 1125(c) 
  • Common Law Trespasses to Chattels 
  • Unjust Enrichment 
  • and Conversion 
To do so, Microsoft asked the court to force hosting providers to suspend services and block and monitor traffic for the customers who were using particular IP addresses within their organizations.  The list included: 

  • Input Output Flood, LLC of Las Vegas, for IP addresses: 
    • 104.161.32[.]103, .105, .106, .109, and .118.
  • Hosting Solution Ltd (Hurricane Electric of Fremont, California) for IP address:
    •  104.193.252[.]221.
  • Nodes Direct Holdings of Jacksonville Florida for IP addresses: 
    • 107.155.137[.]7, .19, and .28,
    • 162.216.0[.]163, 
    • 23.239.84[.]132, .136
  • Virtual Machine Solutions, LLC of Los Angeles, California for IP addresses: 
    • 107.174.192[.]162 and 
    • 107.175.184[.]201
  • Hostkey USA of New York for IP address: 
    • 139.60.163[.]45 
  • Fastlink Network Inc, of Los Angelese for IP address: 
    • 156.96.46[.]27
  • Green Floid LLC for IP addresses: 
    • 195.123.241[.]13 and .55 
  • Twinservers Hosting of Nashua, New Hampshire for IP address: 
    • 162.247.155[.]165  

Each team made significant contributions to the effort, and most have published their own Trickbot blogs, which I link below, with regards to the case, their most important function was to provide professional analysis in the form of a Declaration in Support of Motion for TRO: 

  • Lyons is Jason Lyons, a Senior Manager of Investigations at the DCU Malware & Cloud Crimes Team.  Lyons, who served in the Cyber CounterIntelligence unit of the U.S. Army, provides 25 pages of testimony and ten "Exhibits." Part of his testimony included the proof of 25 million Gmail, 19 million Yahoo, 11 million Hotmail, 7 million AOL, 3.5 million MSN, and 2 million Yahoo.co.uk addresses known to have been targeted by Trickbot (based on reporting from Deep Instinct)
  • Finones is Rodelio Finones, a Senior Security Software Engineer and Malware Researcher at the Microsoft DCU. He provides a 21 page testimony of his own investigation into Trickbot, 
  • Thakur is Vikram Thakur, the Technical Director of Symantec Enterprise, where he has been a major rockstar for more than a dozen years!  He provides a 20 page testimony.
  • Garlow is Kevin Garlow, Lead Information Security Engineer at LUMEN (formerly CenturyLink). His testimony includes the fact that he has identified 502 distinct IP addresses that had acted as Trickbot controllers, but that 40 of them have remained online despite more than 30 abuse notifications and that 9 of them have been sent more than 100 such notifications.  He states that "We confirmed 55 new Trickbot controller IPs in September 2020 and 99 new Trickbot controller IPs in August."  It is these long-lived "bullet-proof" controllers that Microsoft is targeting.  It is also likely that revealing whoever is paying the bills for those long-lived services may be a path to identifying John Doe 1 and John Doe 2.  Garlow's testimony that he has sent so many notices for take-down which have been ignored is a powerful part of this package!
  • Silberstein is Steven Silberstein, the CEO of the FS-ISAC.  He provides testimony to more than 500 fraud attempts against FS-ISAC member institutions over an 18 month period, with $7 Million in attempted fraud.  One FS-ISAC member had dozens of attempts in a two week period with an average fraud attempt of $268,000!  

  • Ghaffari is Kayvan M. Ghaffari, an attorney with Crowell & Moring LLP for Microsoft and the FS-ISAC.  His testimony calls out the particular web hosting companies that were hosting the machines targeted by the TRO, including Colocrossing, IOFlood, HostKey, VDI-Network, ENET-2, and King Servers, pointing out that all of these organizations have Terms of Service which are clearly violated by the Trickbot controllers.  He then attaches as exhibits more than 650 pages of similar cases and the related court documents from them.
  • Boutin is Jean-Ian Boutin, the Head of Threat Research, calls Trickbot "one of the most prolific and frequently encountered types of malware on the Internet."

Related TrickBot Blogs

ESET analyzed 125,000 malware samples and downloaded and decrypted 40,000 configuration files used by Trickbot modules, helping to map out the C&C servers by the botnet. While Trickbot can drop many "modules" these are not one-size-fits-all.  Trickbot modules were sometimes dropped in phases after an initial assessment of the network on which the bot found itself, and other times varies by the "gtag" -- the unique label used to sign the infection, thought to be related to affiliates who paid the Trickbot operators.

gtag timeline by ESET


Lumen's Black Lotus provided C2 timelines, demonstrating which IP addresses in which countries were active in which timeframes.  Indonesia, for example, hosted active C2 servers on 1,362 days!  Colombia and Ecuador, which by their count were #2 and #3 had only 652 and 637 C2 days by comparison.  They shared 95 C2 addresses in their recent Look Inside the Trickbot Botnet blog post. Many of these IP addresses are also called out in Lyons testimony as Exhibit 2.

5.152.210[.]18845.89.127[.]2796.9.77[.]56129.232.133[.]39185.172.129[.]100194.87.236[.]171
5.182.210[.]22451.77.112[.]252103.111.83[.]246131.161.253[.]190185.234.72[.]114195.123.238[.]83
5.182.211[.]12451.83.196[.]234103.12.161[.]194139.60.163[.]45185.234.72[.]35195.123.239[.]193
5.182.211[.]13851.89.215[.]186103.196.211[.]120156.96.46[.]27185.236.202[.]249195.123.240[.]18
27.147.173[.]22762.108[.]35.9103.221.254[.]102158.181.155[.]153185.25.51[.]139195.123.240[.]93
36.66.218[.]11780.210.32[.]67103.36.48[.]103176.31.28[.]85185.99.2[.]106195.123.241[.]224
36.89.182[.]22583.220.171[.]175103.76.169[.]213177.190.69[.]162185.99.2[.]115195.123.241[.]229
36.89.243[.]24185.204.116[.]117104.161.32[.]108179.127.88[.]41186.159.8[.]218195.161.62[.]25
36.91.45[.]1089.249.65[.]53104.161.32[.]118180.211.170[.]214190.136.178[.]52200.116.159[.]183
36.91.87[.]22791.200.100[.]71107.155.137[.]15181.112.157[.]42190.145.83[.]98200.116.232[.]186
36.94.33[.]10291.200.103[.]236110.93.15[.]98181.129.104[.]139190.152.182[.]150200.171.101[.]169
45.127[.]222.892.38.135[.]61112.109.19[.]178181.129.134[.]18190.214.28[.]74200.29.119[.]71
45.138.158[.]3392.62.65[.]163117.252.214[.]138181.143.186[.]42190.99.97[.]42201.231.85[.]50
45.148.10[.]17493.189.42[.]225121.100.19[.]18182.253.113[.]67192.3.246[.]216212.22.70[.]59
45.66.10[.]2296.9.73[.]73121.101.185[.]130185.14.30[.]247194.5.249[.]214220.247.174[.]12
45.89.125[.]14896.9.77[.]142122.50.6[.]122185.142.99[.]94194.5.249[.]215

Symantec's blog post "Trickbot: U.S. Court Order Hits Botnet's Infrastructure" has a great infographic about "How Trickbot Works": 


Microsoft on Trickbot's use of Covid-19 Lures

Microsoft is in a unique position to take action against malware, having visibility to so much malware-related traffic from browser telemetry, Microsoft Defender reports, and Office365 scans.  In the past year, they have evaluated 6 Trillion messages and blocked 13 Billion malicious emails that used 1.6 Billion URLs to try to infect the email recipients!

Microsoft's Digital Defense Report 2020 points out that Trickbot began using COVID-19 spam lures on March 3, 2020, and went on to become the most prominent spam botnet using COVID-19 themes.

From MS Digital Defense Report 2020 

We've long argued that if the lure is timely and controversial, people will click on it.  That seems to be the case even today as ProofPoint's @ThreatInsight has pointed out, documenting that a recent malware campaign, first seen October 6, 2020, is using President Trump's diagnosis as a lure to infect people with additional malware, using the subject line "Recent material about the president's situation" and the promise of additional details in a password-protected email attachment.