By Mor Ahuvia, Cybercrime Communications Specialist, RSA FraudAction™
In one of the most interesting cases of organized cybercrime this year, a cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign. Planned for this fall, the blitzkrieg-like series of Trojan attacks is set to be carried out by approximately 100 botmasters. RSA believes this is the making of the most substantial organized banking-Trojan operation seen to date
By investigating the group’s forum-post announcement and analyzing the Trojan, RSA has managed to link the cybergang’s weapon of choice to a little-known, proprietary Gozi-like Trojan, which RSA has dubbed “Gozi Prinimalka.” Derived from the Russian word meaning “to receive” and alluding to a Trojan drop point, the word “Prinimalka” appears as a folder name in every URL path given by the gang over the years to its crimeware servers. According to underground chatter, the gang plans to deploy the Trojan in an effort to complete fraudulent wire transfers via Man-In-The-Middle (MiTM) manual session-hijacking scenarios.
Previous incidents involving this Trojan, handled by RSA and other information security vendors, appear to corroborate the gang’s claims that since 2008 their Trojan has been at the source of siphoning US$5 Million from American bank accounts. Gozi Prinimalka’s similarity to the Gozi Trojan, both in technical terms and its operational aspects, suggests that the HangUp Team—a group that was previously known to launch Gozi infection campaigns—or a group closely affiliated with it, may be the troupe behind this ambitious scheme.
If successfully launched, the full force of this mega heist may only be felt by targeted banks in a month or two. The spree’s longevity, in turn, will depend on how fast banks and their security teams implement countermeasures against the heretofore-secret banking-Trojan.
Why Target American Banks?
Although the gang boasts anti-American motives with regards to its choice of future victims, the group’s more likely considerations stem from convenience and prior experience with defrauding and cashing out certain banks’ accounts. Another attractive element for the attackers appears to be the slim deployment of two-factor authentication (2FA) for private banking consumers in the US, unlike many European banks that generally require all consumers to use 2FA for wire transfers.
Forum chatter from members of this cyber gang seem to indicate plans to employ a unique technical model that essentially turns unrelated cybercriminals into trusted partners of the campaign’s masterminds, if such a thing can actually exist in a world of cyber thieves.
In a boot camp-style process, accomplice botmasters will be individually selected and trained, thereby becoming entitled to a percentage of the funds they will siphon from victims’ accounts into mule accounts controlled by the gang. To make sure everyone is working hard, each botmaster will select their own ‘investor,’ who will put down the money required to purchase equipment for the operation (servers, laptops) with the incentive of sharing in the illicit profits.
The gang and a long list of other accomplices will also reap their share of the spoils, including the money-mule herder and malware developers.
Gozi has always been a privately operated Trojan in which the key components have not been released publicly. RSA believes that this fact is not about to change. At no point in time will accomplice-botmasters receive the Gozi Prinimalka compiler. This model ensures that accomplice botmasters will be completely dependent on the Gozi Prinimalka gang for receiving new executable files. This implies that every instance of the Trojan detected in the wild will have necessarily been produced by the Trojan’s authors.
Weapon of Choice – Prinimalka
Often categorized by the infosec industry as Gozi (or its alias Ursnif), RSA’s research shows that Gozi Prinimalka features virtually identical bot-server communication patterns and URL trigger list, but that its deployment on infected PCs is very different. Whereas Gozi writes a single DLL file to its bots upon deployment, Prinimalka creates two files: An EXE file and a DAT file, with the latter reporting to the server the machine’s details and all the software installed on it. In addition, the registry keys and values written by Prinimalka and Gozi are completely different.
While the campaign is not revolutionary in technical terms, it will supposedly sport several noteworthy features.
A novel virtual-machine-synching module announced by the gang, installed on the botmaster’s machine, will purportedly duplicate the victim’s PC settings, including the victim’s time zone, screen resolution, cookies, browser type and version, and software product IDs. Impersonated victims’ accounts will thus be accessed via a SOCKS proxy connection installed on their infected PCs, enabling the cloned virtual system to take on the genuine IP address when accessing the bank’s website.
Using VoIP phone-flooding software, the gang plans to prevent victim account holders from receiving the bank’s confirmation call or text message used to verify new or unusual online account transfers.
In light of these reported findings and in view of the possibility that the Trojan attack spree will target US-based financial institutions that have not been heretofore targeted by the Gozi Prinimalka Trojan, RSA recommends banks review authentication procedures relevant to both online wire transfers and transfers performed over the telephone banking channel. RSA offers a number of products and services designed to help protect against sophisticated MITM Trojan attacks and we have informed our customers of actionable precautions they can take based on these findings.
Organized crime in the fraudster underground is normally orchestrated within private circles, and it is almost unheard of for a cyber gang to turn to masses of “UnderWeb” dwellers in order to find recruits for its operations. The move is both risky and peculiar considering recent law enforcement operations in the underground leading to extensive fraudster arrests by the FBI.
Additional underground chatter suggests that once the cyber gang achieves a critical mass of accomplice attackers that have mastered the use of the Gozi Prinimalka Trojan, the gang will set a pre-scheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems. If the gang’s plans do materialize, this campaign could be the largest coordinated attack on American financial institutions to date.
This cyber intelligence notice is based upon ongoing research and analysis by the RSA FraudAction research team. As part of our ongoing cooperation with the security community, RSA has shared details of this information with U.S. law enforcement as well as with its RSA FraudAction Global Blocking Network partners and security teams from the partially known list of potential target U.S. banks.
Still, it’s important to note that cyber criminals often make claims they do not necessarily act upon and they, along with other adversaries frequently change their tactics, abandoning unworkable lines of attack and developing new approaches. Security teams should consider the potential urgency and applicability of this intelligence within their specific organization’s threat matrix and risk profile.
As a Cybercrime Communications Specialist for RSA FraudAction, Mor Ahuvia has been at the forefront of online threats research for over four years. Keeping customers and the media apprised of the latest in malware, phishing, and the cybercriminal blackmarket, Mor’s blogs for the FraudAction Research Lab have been quoted in such publications as Dark Reading and Brian Krebs’ ‘On Security.’
 Known Gozi Prinimalka MD5 Hashes: