Cybercrime International, Ltd.

April 8, 2016

Kaspersky Lab experts have conducted extensive research on LatAm (specifically, Brazilian) and Russian cybercrime circles, and the recent discoveries show that these “bad guys” started cooperating for mutual benefit – and for increased risks for their potential victims.

According to Securelist’s Thiago Marques, Brazilian malware continues to evolve day by day, making it increasingly sophisticated, even though until recently it has been rather simple. Analyzing and detecting it wasn’t much of a chore “due to no obfuscation, no anti-debugging technique, no encryption, plain-text only communication, etc.”

The picture has changed, however. Brazilian and Russian-speaking criminals have established a system of cooperation in recent years, with the former seeking out samples on Russian underground forums, buying new crimeware and ATM/PoS malware, or offering their own services. Brazilian malware, in turn, has become much more of a problem for victims and security researchers, as the new techniques of detection avoidance, code obfuscation, root and bootkit functions have arrived. These technologies, Kaspersky Lab experts said, were developed in the Russian cyberunderground.

The trade is two-way; the cooperation helped speed up malware evolution.


Not only has a cooperation system been established, but also Brazilian and Russian cybercrooks now share the same malicious infrastructure.

For example, a few months after an alleged Russian banking Trojan family (Crishi) started using an algorithm that generated domains in abuse-resistant hosting in Ukraine, Brazilian criminals behind the infamous Boleto malware campaigns also started using the very same infrastructure.

“Without some form of cooperation between the Boleto actors and those behind the domain-generating algorithm, it would have been impossible to make identification of command and control servers more difficult for researchers and law enforcement agencies”, Kaspersky Lab reports.

Malware evolution is something that may make individual users and businesses more likely to become victims of cyberattacks. International cooperation of cybercriminals “per se” doesn’t matter much: after all, crime doesn’t have borders.

But as the criminals join forces “intercontinentally” to improve their crimeware together, businesses and LEAs should work together as well. Cybersecurity is everybody’s business – today more, perhaps, than ever.