Researchers have stumbled upon traces of what seems to be part of C&C infrastructure used in one of the biggest cybercrime against an European bank with as much as €500,000 stolen from bank accounts using Man-in-the-Browser (MITB) mechanism.
Kaspersky Lab researchers discovered a ‘suspicious server’ on which were present log files containing traces of activities that might have been performed using the server.
“On January 20th 2014 Kaspersky Lab detected a suspicious server containing several log files including events from bots reporting to a command and control web panel”, notes Kaspersky in a blog post. “The information sent seemed to be related to a financial fraud; it included details of the victims and the sums of money stolen”
Researchers looked around on the server to find additional log files that contained information about fraudulent transactions as well as JavaScript code related to C2 infrastructure. Kaspersky claims that the log files gave important information on the bank that was targeted as well as the money-mule system that was in place.
The security company did inform the bank and law enforcement agencies about the fraudulent transactions, but hasn’t revealed the name of the bank in its blog post.
Kaspersky revealed that the crime was carried out using Man-in-the-Browser techniques and the malware employed was “capable of performing automatic transactions to pre-set money mule accounts.”
From the information extracted through the logs, Kaspersky claims that as many as €500,000 worth of fraudulent transactions were carried out from accounts of around 190 victims in Italy and Turkey.
Kaspersky hasn’t managed to analyse the malware used during the campaign, but researchers have deduced from the logs they analysed that the malware was capable of stealing usernames and OTPs in real time.
“This kind of injections are very common in all the variations of Zeus (Citadel, SpyEye, IceIX, etc.) and all of these are well-known in Italy. During our investigation it was not possible to find the infection vector, however banking Trojans use a variety of methods to infect victims including spam and drive-by downloads”, added Kaspersky.
Kaspersky revealed that the perpetrators removed all sensitive information from the server just two days after they started investigating it. Researchers are of the opinion that the perpetrators may have shifted their base to new infrastructure and that the campaign may still be running somewhere.
