Trend Micro Incorporated, exposed a Russian national in his 20s who has been targeting users in the US and Asia. The attacker goes by the name “Soldier” in the criminal underground.
This specific attacker has been successful in increasing his network of infected users and has also and also has been known to buy traffic from other cybercriminals. Besides using malware to steal money from the compromised accounts, user security credentials were also stolen.
During the investigation, Trend Micro discovered that the cybercriminal toolkits including SpyEye and ZeuS, as well as exploit kits such as those for driving blackhat SEO to propagate his SpyEye and ZeuS binaries.
Loucif Kharouni, Senior Threat Researcher of Trend Micro who takes part in the team investigating Soldier said “cybercriminals have been attacking and taking advantage of users to steal personal data and Trend Micro Threat Researchers are constantly looking, identifying and researching their activities, in order to protect customers from such hackers.”
Using the IP addresses of the victims that were recorded by the SpyEye command and control server, Trend Micro was able to determine the network to which the IP address was assigned. A wide variety of large organizations and US multi-nationals in a variety of sectors were represented and a handful across 90 different countries globally.
Trend Micro does not believe these large organizations and US multi-nationals were originally the intended target but instead believe that they were impacted following enduser compromise. Control over bots (infected victim systems) is routinely sold to other criminals who perform other data-stealing activities, thereby making these networks vulnerable to further compromise and possible fraud.
While SpyEye is known as a banking Trojan, it is quite capable of stealing all forms of credentials. Trend Micro processed the data for well-known services and found that many credentials, especially for Facebook, had been stolen.
The SpyEye variant that was used for the above-mentioned operation is detected as TSPY_SPYEYE.EXEI. Trend Micro has also blocked access to related remote sites using our Web Reputation Service.
Such information gives Trend Micro a clearer view of what goes on within a botnet as prominent as those created with SpyEye, attaining more information on how cybercriminals do business, their targets, and what kind of information they seek, hopefully leading to discover how to dismantle these operations and prevent them from stealing users’ hard-earned money.
Kharouni further says, “Compromise on such a mass scale is not that unusual for criminals using toolkits like SpyEye, but the amounts stolen and the number of large organizations potentially impacted is cause for serious concern.”