English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1
Latest posting
By rating
By popularity

Join our blog

You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.

0.2
 

We know that the family of malware called Trojan.MSIL.Jumcar and Trojan.Win32.Jumcar was developed in Peru with the primary aim of attacking Peruvian users. We also know that Chilean and Peruvian users have latterly been targeted as well. You can read more about this in our preliminary reports:

Jumcar. From Peru with focus on Latin America [First part]

Jumcar. Timeline, crypto, and specific functions [Second part]

During the initial investigation we saw a very striking series of strings from the source code of the first variants: "Armada Peruana". This is the Peruvian navy.

String "Armada Peruana" observed in decompilation of the Jumcar variant.

0.2
 

Jumcar stands out from other malicious code developed in Latin America because of its particularly aggressive features. At the moment three generations of this malware family exist, which basically use symmetric algorithms in the first and second generation, and an asymmetric algorithm in the third. In this manner the configuration parameters are hidden, progressively increasing the complexity of the variants.

In the first generation, data is encrypted with AES (Advanced Encryption Standard). We estimate that the first variant was released in March 2012, and that other pieces of malware with similar characteristics were being developed until August of the same year. That is to say over a six month period.

In this first stage, 75% of the phishing campaigns targeted Peruvian consumers that use home-banking services. The 25% remaining targeted users in Chile.

The following diagram shows multiple instances used by the second generation of Jumcar:

Some .NET instances used by a variant of the first generation of Jumcar


0.4
 

Jumcar” is the name we have given to a family of malicious code developed in Latin America – particularly in Peru – and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries
0.4
 

After the recent emergence of the criminal PiceBOT in Latin America, AlbaBotnet has joined the growing ranks of regional IT crime. It revolves around online pharming, with a view to delivering targeted phishing attacks which steal information from the online accounts of two major Chilean banks.

According to the data we have processed, this campaign is part of a trial stage of this botnet: up to now there has been no monetization of AlbaBotnet. We do know that the author of this threat began testing it in early 2012.

The botnet appears to have a similar structure to its Latin American counterparts. As well as the default automated malware builder, it includes a package which automatically sends emails. Thus, the botmaster can customize infection campaigns through the classic mechanisms of visual social engineering:

0.4
 

Following in the wake of the vOlk (Mexico) and S.A.P.Z. (Peru) botnets comes PiceBOT, a newbie to the Latin American cybercrime scene. The cost on the black market is currently around $140.

Like other crimeware of its kind, its main purpose is the distribution of malware that steals financial information through local pharming attacks (arbitrary modification of a hosts file). Despite its recent onset (less than a month) it has already been adopted by Latin American cybercriminals to target clients of major banks. So far we have recorded phishing attacks generated and managed through this botnet in Chile, Peru, Panama, Costa Rica, Mexico, Colombia, Uruguay, Venezuela, Ecuador, Nicaragua and Argentina. The following image, obtained from an underground forum, shows some examples:

0.4
 

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

0.4
 

Latin America has ceased to be a region that simply receives attacks from across the world.

Since late 2009 it has begun to copy fraudulent business models through which American cybercriminals have begun producing their own criminal resources.

Examples include Brazil, with the web application called TELA (to manage the information stolen from zombie computers); or S.A.P.Z. from Peru, used to propagate malicious code designed to steal bank details. But of course, these are not the only ones. Mexico has also joined this list, with different crimeware developments. Tequila and Mariachi crimeware programs started the trend in this region, back in 2009. But the newest is VOlk-Botnet. The following image shows the main page:

0.4
 

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file:

0.4
 

After rumors about the supposed merger between SpyEye and ZeuS, and the public release of the source of the latter, it was logical that the range of possibilities opened up even more for new cybercriminals into the ecosystem of crimeware.

Consistent with this, it was only a matter of time for the emergence of new packages based on ZeuS crimeware, which is now realized. Ice IX Botnet is the first new generation of web applications developed to manage centralized botnets through the HTTP protocol based on leaked ZeuS source code.

0.3
 

Cloud Computing providers offer gigabytes of storage for free, and the cybercriminals use to maintain and spread malware of all the kind. At the same time, many legitimate services are not free, but are still very attractive to cybercrime gangs. In the case of Amazon, Amazon Simple Storage Service (Amazon S3) does the trick.

Despite being a paid service, the cost is not an obstacle for profitable attackers. In fact, my colleague Dmitry Bestuzhev recently told us about the spread of malware exploiting this service to "the cloud".

The truth is that these cases are not isolated. According to our research, cybercriminals have been running SpyEye activities and from Amazon for the past couple of weeks.