Churn Under the Surface of Global Cybercrime
Global cybercrime actors generally adhere to the
same principal as a handyman: If it’s not broken, don’t fix it. But that’s not
so easy when malware
works in one area and attackers want to use it to target a new audience or
geography.
Moving malware across borders to a new target
geographic means more resources for everything, from a relatively easy change
to the malware configuration file to the acquisition of new target email lists,
new spam delivery mechanisms, an understanding of local banks’ authentication
requirements, new local money mules and the development of webinjections to
correspond with the transaction flow for each target.
Testing the Waters
After the initial investment and establishment of
a connection with local crime factions, the time comes to launch actual
infection and attack campaigns. To test the waters, cybercrime gangs deploy
small rates of infections
in a new geography and check the malware’s operation to ensure success
before ramping up to a large deployment. They do that to estimate the potential
for success in the new geography, reduce the risk that they will be caught
early on and, for astute observers, foreshadow a bigger boom in the malware.
The crew operating TrickBot,
which emerged in August 2016, launched the malware during a testing and
development period to turn it into a banking Trojan and work out the bugs
before its actual deployment
in the U.K. and other English-speaking countries. It then promptly moved to
Germany.
Growing Attack Sophistication, or Just Growing Attacks?
Dear reader: this post and the paper it leads to
are both part of my research work at IBM X-Force. You can go to the original
post here
and obtain the paper there as well.
Comments
Post a Comment