by Blog Staff | Apr 11, 2013 | Industry Intel, Threat Lab
By Dancho Danchev
What’s greed to some cybercriminals, is profit maximization to others, especially in times when we’re witnessing the maturing state of the modern cybercrime ‘enterprise’. Many enter this vibrant marketplace as vendors without really realizing that, thanks to the increasing transparency within the cybercrime ecosystem, their basic and valued added services will be directly benchmarked against a competing vendor, sometime rendering their unique value proposition completely irrelevant. Others will take a different approach by releasing a ‘life cycle aware’ underground market ad and will still manage to generate some revenue, as well as secure a decent number of customers in the long-term.
In this post, I’ll profile a ‘life cycle aware’ underground market ad for a private keylogger, relying on a limited number of licenses for its business model.
More details:
(more…)
by Blog Staff | Apr 10, 2013 | Industry Intel, Threat Lab
Cybercriminals are currently mass mailing tens of thousands of emails, in an attempt to trick users into thinking that the order for their “air transportation services has been accepted and processed”. In reality though, once users execute the malicious attachments, their PCs will automatically become part of the botnet managed by the malicious actors.
More details: (more…)
by Blog Staff | Apr 9, 2013 | Industry Intel, Threat Lab
Thanks to the ease of generating a botnet, in 2013, stolen accounting data on a mass scale is a no longer a hot underground item, it’s a commodity, one that’s being offered by virtually all participants in the cybercrime ecosystem.
What happens once a Skype account gets compromised? There are several possible scenarios. The cybercriminals that (automatically) compromised it will either use the Skype credit for their own purposes, start spreading malware to the friends/colleagues of the compromised victim, or feed the accounting data into their arsenal of tools and tactics for launching TDoS (Telephony Denial of Service) services.
In this post, I’ll profile a novice cybercriminal’s underground market proposition, consisting of a DIY Skype ring flooder+training+a small amount of credit on a Skype account available in the package, and emphasize on why this particular release will never gain any market share, compared to the sophisticated and publicly available managed services.
More details:
(more…)
by Blog Staff | Apr 8, 2013 | Industry Intel, Threat Lab
In a diversified underground marketplace, where multiple market players interact with one another on a daily basis, there are the “me too” developers, and the true “innovators” whose releases have the potential to cause widespread damage, ultimately resulting in huge financial losses internationally.
In this post, I’ll profile one such underground market release known as as “Zerokit, 0kit or the ring0 bundle” bootkit which was originally advertised at a popular invite-only/vetted cybercrime-friendly community back in 2011. I’ll emphasize on its core features, offer an inside peek into its administration panel, and discuss the novel “licensing” scheme used by its author, namely, to offer access to the bootkit in exchange for tens of thousands of malware-infected hosts on a monthly basis.
More details:
(more…)
by Blog Staff | Apr 5, 2013 | Industry Intel, Threat Lab
Over the last couple of years, the industry’s and the media’s attention has been shifting from mass widespread malware campaigns to targeted attacks most commonly targeting human rights organizations, governments and the military, also known as advanced persistent threats (APTs).
In this post, I’ll profile a recently spotted underground market advertisement, which basically offers a Microsoft Access file of data belonging to executives within major companies such as Audi, Ralph Lauren, Bentley, Breitling, Porsche, Avito, Marc Jacobs, Ralph Lauren, Live Nation, Societe Generale, Bloomberg, Technip, Carlsberg, Coca-Cola, etc., obtained primarily through valid business cards.
More details: (more…)
by Blog Staff | Apr 4, 2013 | Industry Intel, Threat Lab
Over the past few days, we intercepted a malware campaign that spreads through Skype messages, exclusively coming from malware-infected friends or colleagues. Once users click on the shortened link, they’ll be exposed to a simple file download box, with the cybercriminals behind the campaign directly linking to the malicious executable.
More details:
(more…)
by Blog Staff | Apr 3, 2013 | Industry Intel, Threat Lab
By Dancho Danchev
Among the first things a cybercriminal will (automatically) do, once they gain access to a compromised host, is to retrieve account/credential data.
From compromised FTP credentials, CPanel accounts, portfolios of domains, to hacked PayPal and Steam accounts, cybercriminals are actively utilizing compromised infrastructure as a foundation for the success of their fraudulent or malicious campaigns, as well as for anonymization ‘stepping stones’ tactics in an attempt to forward the risk of getting tracked down through a series of network connections between malware infected hosts located across the globe.
In this post, I’ll highlight the existence of a cybercrime-friendly service that has been supplying virtually anyone who pays for access, with tens of thousands of compromised accounts.
More details: (more…)
by Blog Staff | Apr 2, 2013 | Industry Intel, Threat Lab
We have recently intercepted a malicious spam campaign, that’s attempting to trick users into thinking that they’ve received a non-existent “changelog.” Once gullible and socially engineered users execute the malicious attachment, their PCs automatically become part of the botnet operated by the cybercriminal/gang of cybercriminals.
More details: (more…)
by Blog Staff | Apr 1, 2013 | Industry Intel, Threat Lab
While the authors/support teams of some of the market leading Web malware exploitation kits are competing on their way to be the first kit to introduce a new exploit on a mass scale, others, largely influenced by the re-emergence of the DIY (do-it-yourself) trend across the cybercrime ecosystem, continue relying on good old fashioned social engineering attacks.
In this post, I’ll profile a beneath-the-radar type of DIY Java-based botnet building tool, which is served through the usual unsigned, yet malicious Java applet.
More details: (more…)
by Blog Staff | Mar 29, 2013 | Industry Intel, Threat Lab
By Dancho Danchev
On a daily basis we process multiple malicious campaigns that, in 95%+ of cases, rely on the market leading Black Hole Exploit Kit. The fact that this Web malware exploitation kit is the kit of choice for the majority of cybercriminals, speaks for its key differentiation factors/infection rate success compared to the competing exploit kits, like, for instance, the Sweet Orange exploit kit or the Nuclear Exploit pack v2.0.
In this post I’ll profile the EgyPack, a Web malware exploitation kit that was originally advertised on invite-only/vetted cybercrime friendly communities between the period of 2009-2011. List its core features, provide exclusive screenshots of its administration panel, and discuss why its business model failed to scale, leading to its virtually non-existent market share.
More details:
(more…)
