Download - Cybercrime in Russia: Trends and Issues
![Page 1: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/1.jpg)
Cybercrime in Russia: Trends and issues
Robert Lipovsky, Aleksandr Matrosov and Dmitry Volkov
![Page 2: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/2.jpg)
This presentation is confidential
and not subject to public
disclosure
![Page 3: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/3.jpg)
Agenda
General cybercrime trends in 2010
Most prevalent threats and incidents
Reasons for the incidents’ growth
Evolution of the cash-out scheme
Legal evasions and loopholes
Successful criminal prosecutions
Analysis of malware used in the attacks
![Page 4: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/4.jpg)
Group-IB
oFirst and only public company in Russia
engaged in digital crime investigation and
computer forensics consulting
oEstablished in 2003
o Assistance to law enforcement authorities
on particularly difficult cases
o Partners and researchers in 48 countries
o Russian HoneyPot-Net project
o 24/7 monitoring and incident response
![Page 5: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/5.jpg)
Cybercrime in 2010
Global computer crime market turnover at
7 billion dollars
Share of cybercriminals living in Russia
estimated at 1.3 billion dollars ~19% of global crime
Cybercriminals from Russian speaking
countries: 2.5 billion dollars ~36% of global crime
*research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
![Page 6: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/6.jpg)
Most prevalent threats and incidents
*research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
1. Fraud targeted at Russian banks and payment systems
2. SMS fraud using premium
numbers(“winlockers”/LockScreen trojans)
3. DDoS attacks – Growth in number and in power
4. Unauthorized access to sensitive corporate information
![Page 7: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/7.jpg)
30 60
92
586
72 124
213
931
0
100
200
300
400
500
600
700
800
900
1000
2009
2010
bank fraud DDoS brand attacks unauthorized
access
SMS fraud (LockScreens) not shown because the numbers are
disproportionally greater
Incident statistics by Group-IB forensic lab
Share of cybercriminals living in Russia
estimated to increase to
1.8 billion dollars in 2011
(vs. 1.3 billion in 2010)
![Page 8: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/8.jpg)
DDoS attacks: Growth in number and power
most powerful attack 100 Gb/sec (victims: UkrTelecom, Yandex, EvoSwitch
but real target was a dating affiliate program)
attackers DDoS bank if transaction
exceeds 150 000 $
![Page 9: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/9.jpg)
SMS fraud using premium numbers: LockScreen malware
o If your country is affected, please, contact us for information
o Group-IB developed a case-tutorial for this type of
investigation
![Page 10: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/10.jpg)
Reasons for the incidents’ growth
o Legal evasions and loopholes
o Low cost of services in Russia
o Lack of legal jobs for young IT-
specialists
o High profit and minimum investments
from cybercrime
o Low information security vs. high
cybercrime groups activities
o Shift of attack targets back to USSR :)
![Page 11: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/11.jpg)
Cost of services in Russia
Hacking of a website: from $50
Guaranteed hack of a mailbox (Yandex, Mail, Rambler, Gmail):
from $45
Mobile phone bug: from 5000$
SMS service bug: from 1000$
Massive distribution of Trojan and spyware: from 20$ (1000
users)
Spam services:
o 400,000 companies - $55
o 1,800,000 private persons - $100
o 90,000 companies in St. Petersburg - $30
o 450,000 private persons in Ukraine - $50
o 6,000,000 private persons in Russia - $150
o 4,000,000 emails on @mail.ru - $200
![Page 12: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/12.jpg)
Evolution of the Cash-out scheme For amounts up to 40k $
![Page 13: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/13.jpg)
For amounts 40-200k $
Evolution of the Cash-out scheme
![Page 14: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/14.jpg)
For amounts over 200k $ Evolution of the Cash-out scheme
![Page 15: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/15.jpg)
Chapter 28 of the Penal Code
Article 272.
Illegal Access to
Computer Information
Article 273.
Development, Use and
Spreading of Malicious
Software
Article 274.
Violation of Rules for
the Operation of
Computers, Computer
Systems or Their
Networks
Criminal responsibility
Maximum fine of
300 000 RUB
or
imprisonment for up to
5 years.
Imprisonment for up to
7 years
Imprisonment for up to
4 years
![Page 16: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/16.jpg)
Legislative initiatives
The Committee against Cyber-Crime at the
Russian Association of Electronic
Communication (RAEC)
Improvement of Russian legislation in the
field of cyber crimes
Anti-SPAM legislation
Support against online child pornography
![Page 17: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/17.jpg)
Successful criminal prosecutions
o Group-IB, Economic Crimes Division and Dept K MVD
busted a group of cybercriminals who developed and
spread the “LockScreen” malware
o 10 cybercriminals have been arrested
![Page 18: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/18.jpg)
Successful criminal prosecutions
Leo Kuvaev case (BadCow)
![Page 19: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/19.jpg)
Successful criminal prosecutions Leo Kuvaev case (BadCow)
![Page 20: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/20.jpg)
Successful criminal prosecutions DDoS case (Cxim)
o Provided DDoS as a service
o Arrested for DDoS against Russian banks
o 8 months in jail
![Page 21: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/21.jpg)
Successful criminal prosecutions
Group #1
o stole 600 000$ in a single transaction
o case in court
o used Win32/Sheldor
Russian bank-fraud case
Group #2
o stole 832 000$ (over 1 month)
o case in court
o used phishing sites (hosted on
Gogax)
![Page 22: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/22.jpg)
Interesting facts about Russian bank fraud
1
• Mass distribution since 2009
2
• Six cybercrime groups attacking Russian banks
3
• Maximum amount stolen at one time from
single bank account: 14 814 820$
![Page 23: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/23.jpg)
Interesting facts about Russian bank fraud
These guys are still free!
![Page 24: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/24.jpg)
Analysis of malware used in the attacks on Russian Internet Banking systems
![Page 25: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/25.jpg)
Overview
2010: year of attacks on Russian banks • number of incidents has more than doubled compared to 2009*
Over 95%* of incidents involve banking trojans
Malware tailored to Russian banks and payment
systems
However! • Can (and IS) used in other countries as well
*research report "The Russian cybercrime market in 2010: status and trends” http://www.group-ib.ru/wp-content/uploads/2011/04/Group-IB_Report_Russian-cybercrime-market_2010_eng.pdf
![Page 26: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/26.jpg)
*as investigated by Group-IB
0
10
20
30
40
Malware family share by incidents (%)* (in the last 6 months)
![Page 27: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/27.jpg)
Most prevalent banking malware in Russia
Malware Family Description
Win32/RDPdoor Backdoor; uses MS Remote Desktop; botnet
Win32/Sheldor Backdoor; abuses the TeamViewer application;
botnet
Win32/Carberp Universal trojan with modules for targeted
attack on Russian banks; botnet
Win32/Hodprot Downloader; installs other malware modules;
strong encryption of its C&C protocol
Win32/Qhost Malware that modifies the hosts file
![Page 28: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/28.jpg)
Win32/RDPdoor
![Page 29: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/29.jpg)
Stealing money using MS Remote Desktop… Win32/RDPdoor overview
Appearance: First samples detected in April 2010
Cost: ~ 2.000$
Key feature: Abuses components of Thinsoft BeTwin for RDP
• Most prevalent banking trojan in Russia
• Bypassing advanced security mechanisms (Smartcards,
etc.)
![Page 30: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/30.jpg)
Win32/RDPdoor detection statistics by country Cloud data from ThreatSense.Net
April 2010 – March 2011
Russia
Ukraine
Kazakhstan
Belarus
Thailand
Bulgaria
United States
Israel
Moldova
Rest of the world
![Page 31: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/31.jpg)
Win32/RDPdoor installation
infected
computer
Win32/RDPdoor
C&C
1
2
run dropper and send system information
authentication on C&C and provide Thinsoft BeTwin for installation
3 send status information
![Page 32: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/32.jpg)
Win32/RDPdoor installation
![Page 33: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/33.jpg)
Win32/RDPdoor installation
![Page 34: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/34.jpg)
Stealing authentication data
1. Install GINA extension DLL
2. Display fake logon screen
3. Capture user name &
password
4. Send to C&C
![Page 35: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/35.jpg)
Bot Command Description
“P” change password for BeTwin terminal
session
“B” reinstall BeTwinServiceXP module
“S” administration of BeTwin terminal
session
“R” install BeTwinServiceXP module
“T” BeTwin backconnection initialization
“U” update main modules and
configuration
Win32/RDPdoor bot commands
![Page 36: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/36.jpg)
Win32/RDPdoor bot commands
![Page 37: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/37.jpg)
Win32/RDPdoor updating
New dropper with a new configuration embedded is received after „U‟
command
![Page 38: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/38.jpg)
Win32/Sheldor
![Page 39: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/39.jpg)
Win32/Sheldor overview
Appearance: First samples detected in June 2010
Cost: ~ 2.500$
Key feature: Abuses the TeamViewer application for remote
access
• Using the TeamViewer cloud adds another level of
anonymity
![Page 40: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/40.jpg)
April 2010 – March 2011
Russia
Ukraine
Kazakhstan
Moldova
United States
China
Belarus
Israel
Georgia
Rest of the world
Win32/Sheldor detection statistics by country Cloud data from ThreatSense.Net
![Page 41: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/41.jpg)
Win32/Sheldor and TeamViewer in action
infected
computer
TeamViewer
cloud
Win32/Sheldor
C&C GET
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1
1 2
3
4
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C
4. Malicious connection
![Page 42: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/42.jpg)
Win32/Sheldor and TeamViewer in action
GET
/getinfo.php?id=414%20034%20883&pwd
=6655&stat=1
1. Request cloud ID
2. Set cloud ID
3. Send ID to C&C
4. Malicious connection
![Page 43: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/43.jpg)
Under the hood: DLL hooking
TV.dll
(proxy DLL)
TeamViewer.exe
TS.dll
(original TS.dll)
![Page 44: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/44.jpg)
Malicious DLL call graph
![Page 45: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/45.jpg)
Malicious DLL decompilation
Load original TS.dll
Hook functions
Functions for calling
from original TS.dll
C&C URL
![Page 46: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/46.jpg)
Bot Command Description
exec download and ShellExecute/CreateThread
additional module
monitor_off send command “stop monitoring” to C&C
monitor_on send command “start monitoring” to C&C
power_off ExitWindowsEx(EWX_POWEROFF,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM)
shutdown ExitWindowsEx(EWX_REBOOT,
SHTDN_REASON_MAJOR_OPERATINGSYSTEM)
killbot delete all files, directories and registry keys
Win32/Sheldor bot commands
![Page 47: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/47.jpg)
Sheldor C&C panel
![Page 48: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/48.jpg)
Win32/Carberp
![Page 49: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/49.jpg)
Win32/Carberp overview
Appearance: First samples detected in February 2010
Cost: ~ 9.000$
Key feature: Advanced information stealing trojan with
plug-ins
• Customizable to specific banks
• Man-in-the-browser attacks (IE, FireFox)
• Grand Theft: Real cases with millions of $$$ stolen
![Page 50: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/50.jpg)
April 2010 – March 2011
Russia
Ukraine
Spain
United States
Turkey
Kazakhstan
Italy
Mexico
Thailand
Netherlands
Argentina
Belarus
Greece
United Kingdom
Rest of the world
Win32/Carberp detection statistics by country Cloud data from ThreatSense.Net
![Page 51: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/51.jpg)
C&C panel: Bots by country
![Page 52: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/52.jpg)
April 2010 – March 2011
Win32/Carberp detections over time in Russia Cloud data from ThreatSense.Net
![Page 53: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/53.jpg)
Bot Command Description
update Download new version of Carberp
dexec/download Download and execute PE-file
kill_bot/killuser • Delete trojan from the system
• Delete user's Windows account (latest version)
startsb/loaddll Download DLL and load into trojan's memory
address space
grabber Grab HTML form data and send to C&C
Win32/Carberp bot commands
![Page 54: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/54.jpg)
Win32/Carberp self-protection
Self-protect method Win32/Carberp.W Win32/Carberp.X
Bypassing AV-emulators many calls of GUI WinAPI
functions
many calls of GUI
WinAPI functions
Code injection method ZwResumeThread() ZwQueueApcThread()
Command and string
encryption custom encryption
algorithm
Bot authentication on C&C
file with authentication
data stored on infected
PC
API function encryption custom encryption
algorithm
custom encryption
algorithm
Detection of AV hooks comparison of the first
original bytes
comparison of the first
original bytes
Bypassing static AV
signatures
adds random junk bytes to
dropped files
adds random junk bytes
to dropped files
Hiding in the system hook system functions hook system functions
![Page 55: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/55.jpg)
Distribution via partners
Direct distribution
Win32/Carberp distribution channels
exploit pack
affiliate ID control
panel “partnerka”
(affiliate program)
• BlackHat SEO
• Infected Blogs
• etc
![Page 56: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/56.jpg)
Win32/Carberp botnet control panel
![Page 57: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/57.jpg)
Win32/Carberp control panel – Bank settings
![Page 58: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/58.jpg)
Cab-files with stolen data
![Page 59: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/59.jpg)
Stolen data: BS-Client IB system
![Page 60: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/60.jpg)
Stolen data: CyberPlat payment system
![Page 61: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/61.jpg)
Stolen data: iBank IB system
![Page 62: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/62.jpg)
Stolen data: SberBank IB
![Page 63: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/63.jpg)
Stolen data: UkrSibBank IB
![Page 64: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/64.jpg)
Cybercrime kit using multiple stealing techniques
Since early 2010 targeting other regions too
Several independent cybercrime groups involved
Joint investigation of Russian police, Group-IB and
ESET
Win32/Carberp Summary
![Page 65: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/65.jpg)
Summary
Win32/RDPdoor Win32/Sheldor Win32/Carberp
First appearance April 2010 June 2010 February 2010
Cost 2000 $ 2500 $ 9000 $
Prevalence Russia,
Ukraine,
Kazakhstan
Russia,
Ukraine,
Kazakhstan
Russia,
Ukraine,
Spain,
USA
Remote Access RDP via ThinSoft
BeTwin
Via TeamViewer Via plug-ins
Information stealing manually manually automated
Plug-ins
Complexity
Botnet
![Page 66: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/66.jpg)
Conclusion
• Banks in other countries becoming new targets of
Russian cybercrime groups
• Attackers respond to new security measures with new
methods to bypass them
• Cybercriminals use stolen money to stay out of jail
• Disabling C&C servers not enough to stop them
• Only way of fighting them is by cooperation
![Page 67: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/67.jpg)
Questions
![Page 68: Cybercrime in Russia: Trends and Issues](https://reader036.vdocuments.mx/reader036/viewer/2022062319/554bd501b4c9058f6c8b4fb8/html5/thumbnails/68.jpg)
Thank you for your attention ;)
Robert Lipovsky, ESET [email protected]
Aleksandr Matrosov, ESET [email protected]
@matrosov
Dmitry Volkov, Group-IB [email protected]
@groupib