“Jumcar” is the name we have given to a family of malicious code developed in Latin America – particularly in Peru – and which, according to our research, has been deploying attack maneuvers since March 2012.

After six months of research we can now detail the specific features of Jumcar. We will communicate these over the following days. Essentially the main purpose of the malware is stealing financial information from Latin American users who use the home-banking services of major banking companies. Of these, 90% are channeled in Peru through phishing strategies based on cloning the websites of six banks.

Some variants of the Jumcar family also target two banks in Chile, and another in Costa Rica.

Percentage of the phishing attacks by countries

After the recent emergence of the criminal PiceBOT in Latin America, AlbaBotnet has joined the growing ranks of regional IT crime. It revolves around online pharming, with a view to delivering targeted phishing attacks which steal information from the online accounts of two major Chilean banks.

According to the data we have processed, this campaign is part of a trial stage of this botnet: up to now there has been no monetization of AlbaBotnet. We do know that the author of this threat began testing it in early 2012.

The botnet appears to have a similar structure to its Latin American counterparts. As well as the default automated malware builder, it includes a package which automatically sends emails. Thus, the botmaster can customize infection campaigns through the classic mechanisms of visual social engineering:

Last week, Adobe released a patch for a vulnerability in Flash Player that was being exploited in targeted attacks.

Before reading any further, we recommend you to take a moment make sure you apply this patch. Adobe offers this nifty tool to check that you have the latest version of Flash Player.

If you are running Google Chrome, make sure you have version -24.0.1312.57 m- or later.

Now back to CVE-2013-0633, the critical vulnerability that was discovered and reported to Adobe by Kaspersky Lab researchers Sergey Golovanov and Alexander Polyakov. The exploits for CVE-2013-0633 have been observed while monitoring the so-called -legal- surveillance malware created by the Italian company HackingTeam. In this blog, we will describe some of the attacks and the usage of this 0-day to deploy malware from -HackingTeam- marketed as Remote Control System.

Following in the wake of the vOlk (Mexico) and S.A.P.Z. (Peru) botnets comes PiceBOT, a newbie to the Latin American cybercrime scene. The cost on the black market is currently around $140.

Like other crimeware of its kind, its main purpose is the distribution of malware that steals financial information through local pharming attacks (arbitrary modification of a hosts file). Despite its recent onset (less than a month) it has already been adopted by Latin American cybercriminals to target clients of major banks. So far we have recorded phishing attacks generated and managed through this botnet in Chile, Peru, Panama, Costa Rica, Mexico, Colombia, Uruguay, Venezuela, Ecuador, Nicaragua and Argentina. The following image, obtained from an underground forum, shows some examples:

In information security, talk about botnets equals talk about malicious actions that materialize through criminal action. In essence, we think there is always a hostile attitude on the part of those who administer them. Please correct me colleagues, refute this if I'm wrong, but I think conceptually you agree with me.

BoteAR (developed in Argentina) adopts the concept of "social networks" although it seems, as yet, not fully materialized. It offers a conventional and manageable botnet via HTTP but uses the model of crimeware-as-a-service. Moreover, the author seems to adopt (maybe unknowingly) the business model of affiliate systems originating in Eastern Europe which are used to spread malware i.e. infect and get revenue for each node you infect.

So far nothing unusual, unfortunately we witness this kind of tactic every day. The striking thing about BoteAR though is that it tries to shield itself under a wrapper of security in an attempt to "fraternize" with its community.

=== Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.

Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.

    Carolina Dieckmann, a famous Brazilian actress, recently became the victim of cyber attacks that allowed cybercriminals to steal personal property - nude pictures of her- from her computer. Many pictures or maybe all of them got leaked to the Internet. This incident has served as a good incentive for the Brazilian government to have new cybercrime laws in the country (the current law to fight cybercrime in Brazil was approved back in the 40’s of XX century). As a result of this incident, a new cybercrime law that carries a punishment of up to 2 years in prison for such crimes has finally been proposed for consideration. This is a good and right move! A press article in Portuguese can be

    While looking over some potentially malicious links from Brazil, I came across an interesting group of files. They were of varying sizes but had similar structures.
 

Latin America has ceased to be a region that simply receives attacks from across the world.

Since late 2009 it has begun to copy fraudulent business models through which American cybercriminals have begun producing their own criminal resources.

Examples include Brazil, with the web application called TELA (to manage the information stolen from zombie computers); or S.A.P.Z. from Peru, used to propagate malicious code designed to steal bank details. But of course, these are not the only ones. Mexico has also joined this list, with different crimeware developments. Tequila and Mariachi crimeware programs started the trend in this region, back in 2009. But the newest is VOlk-Botnet. The following image shows the main page:

The title of this post suggests that I’ve been thinking of one of the cyber-criminals that uses SpyEye, maybe in admiration! But actually his cyber-criminal actions overshadow anything else.

The truth is that, following my post highlighting the tactic of using as C&C one of the Cloud Computing services offered by Amazon, I found a sample of SpyEye that is somewhat interesting: among its goals is an attack DDoS directed against the Kaspersky Lab website.

The SpyEye configuration file, which is basically a compressed file and password protected (usually MD5), stores the resources involved in the planned attack. The surprise came when I looked at the configuration file of the plugin (ddos.dll.cfg). The following image shows the parameters set in this file: