Kaspersky Lab’s Global Research and Analysis Team has published extensive research on the Adwind Remote Access Tool (RAT), a cross-platform, multifunctional malware program also known as AlienSpy, Frutas, Unrecom, Sockrat, JSocket and jRat, and which is distributed through a single malware-as-a-service platform
Unique local cyberattacks and international cooperation with criminal groups in Eastern Europe, unsound government security and vague legislation, theft of money and private data, direct offensive ops on local victims and criminal-to-criminal services. For the first time Kaspersky Lab shares its intelligence on the human side of underground cybercriminal activity. The first report in the Cyber Underground series reveals the hidden life of cybercriminals in Brazil, a country ranked among the most dangerous for digital citizens.
Biting the hand that feeds
Unlike cybercriminals in other countries, who in general do not respect borders and operate globally, Brazilian cybercriminals are focused on ripping off their own fellow countrymen and local businesses. One of the reasons is vague legislation, resulting in fewer arrests for cybercrimes: the report cites a few examples when exposed criminals ended up spending little to no time in jail. Perceived impunity leads to cybercrime operating almost in the open. In other words, the cyber underground research in Brazil does not demand a lot of digging: criminals are mostly selling their goods and tools like a legitimate business, flashy landing pages and social network promotion included.
Operating locally does not mean that cybercriminals are not interacting with their counterparts in other countries. The report reveals how Brazilian criminals reach out to their colleagues in Eastern Europe. They share know-how, exchange favors and purchase services like bullet-proof web hosting. There is sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other banking Trojans created in the region.
Monitoring such activity around the world allows Kaspersky Lab to foresee the emergence of a certain cyber-attack and fine-tune protection methods, based on the knowledge obtained in another region.
Regional specifics is key to better understanding the threat landscape, and the Brazilian Cyber Underground report proves that. One of the most striking examples is the attack on boletos – banking documents specific to Brazil, used both online and offline to transfer money and pay for the goods. Boletos are part of online-offline system where one generates a payment order on a computer, but then prints it on paper and goes to the brick-and-mortar institution to proceed with the transaction. Boletos rely on barcodes, and cybercriminals have found a way to manipulate them to redirect money transfer to a different account.
In 2014 Brazil was ranked the most dangerous country for financial cyber-attacks. The constant monitoring of Brazilian cybercriminals’ malicious activities provides IT security companies with a good opportunity to discover new attacks related to financial malware.
Privacy issues and government security
Another notable weakness of Brazilian cyber environment is security of government and corporate IT resources. The report provides quite shocking examples, such as a seriously flawed government online resource leaving sensitive data about almost every Brazilian citizen in the open. Cybercriminals are also selling access to statewide data brokers, containing loads of private data, for a mere few dollars. In addition, an attack on a state IT resource, has directly led to further elimination of the Amazon rainforest.
The report explores in-depth the business-to-business operations of the Brazilian cyber underground, when different groups cooperate and share their own part of intelligence or technology with each other. The so-called criminal-to-criminal ops are highly developed and widespread: a criminal is granted access to almost any service one can imagine, from illegal access to private data, to made-to-order development of malware. A ransomware toolkit costs only US$30, a keylogger is ten times more expensive.
Intelligence is the key
“One could imagine the work of Kaspersky Lab’s security experts as day-after-day crunching of malicious code. And this perception is quite true, but the expertise in social and business side of the cyber underground is also important. This report shows some examples of this intelligence that helps us to fine-tune the protection for our customers and develop new security technology. In Brazil, like in almost all other countries, we know the agenda of cybercriminals; their current heists and future plans. Combining this knowledge with deep technical expertise of cyber threats, we are able to fight the cybercrime even more efficiently. At the same time, when you look at the Brazilian cyber environment, you see that even the greatest effort from a security company is not enough. The solution to a safer cyberspace is intelligence sharing and cooperation between the security industry, businesses and government, including law enforcement”, commented Fabio Assolini, senior security researcher at Kaspersky Lab’s Global Research & Analysis Team.
Articles related to Virus News
Kaspersky Lab Exposes the Poseidon Group: A Commercial Malware Boutique Operating on Land, Air and Sea
First ever publicly-known Brazilian Portuguese-speaking cyber-espionage campaign targeting financial institutions as well as telecommunications, manufacturing, energy and media companies