E©RIME ®EVOLUTION

e©RIME ®EVOLUTION

Dani Creus | @them0ux Marc Rivero | @seifreed Security Researcher Senior eCrime Global Research & Analysis Team IT Ers Kaspersky Lab Deloitte | CyberSOC

CONTEXTO

‣ MOTIVACIONES

‣ OFF-LINE/ONLINE

‣ ACTORES Y VÍCTIMAS

‣ TÉCNICAS, TÁCTICAS y PROCEDIMIENTOS

‣ MALWARE !!

‣ COMUNIDADES

Epoca Romántica (198X-2000)

‣ CONOCIMIENTO, SUPERACIÓN ‣ INDIVIDUALISTAS, GRUPOS REDUCIDOS ‣ OBJETIVOS (EXCEPCIONES) ‣ COMUNIDADES 1.0 (BBS, IRC) ‣ OFF-LINE / ONLINE

NUMB3RS

‣ ;1234567891234567=152024041234567891234?

The only limit is your imagination! Originals designs can be designed from any country worldwide, and in any language of your choice... from Scuba instructor, Warranty, Security, Massage Therapist, Auto Mechanic Instructor, Business License, Award, Real Estate, Degree and Diploma Certificates. Various Degrees, Ordained Minister, Royalty Titles, Kung Fu Master, Club Member, Library, Scuba Diver, International Driver, Frequent Flyer, Novelty Id Cards, Fake Driver License, Driver Permits, Security Social Card, New Identity, Membership cards, CIA, DEA, FBI, Private Detective, Bondsman, Bounty Hunter, Casino, Press, Access Cards and much more...or virtually any kind of product you desire. MALWARE (198X - 2000)

CARACTER “EXPERIMENTAL”

AUTO-REPRODUCCIÓN 1995 : CONCEPT (M) POLIMORFISMO 1998 : CIH, NETBUS (R) MACRO VIRUSES 1999 : HAPPY99, MELISSA, RATS SUB7,BACKORIFFICE (R)

2000 : ILOVEYOU (VBS) FIRMAS ESTÁTICAS

AVP: (GUI / SOFTWARE + DB)

NUEVOS FORMATOS/SISTEMAS

ANTIVIRUS

DIALERS

‣ MODIFICAN CONEXIÓN TELEFÓNICA 806 ‣ TARIFICACIÓN PREMIUM/INTERNACIONAL

‣ INGENIERÍA SOCIAL

‣ DISTRIBUCIÓN “”SOFISTICADA”” 906

‣ ESQUEMA “COMPLEJO”

‣ TIEMPO DE REACCIÓN : 30 DÍAS 903 LA EDAD MEDIA (2000 – 2004)

‣ DINERO,CONOCIMIENTO, INFORMACIÓN… SUPERACIÓN…

‣ GRUPOS + NÚMEROSOS

‣ DIVERSIFICACIÓN de TAREAS

‣ VICTIMAS -> USUARIOS

‣ PHISHING

‣ COMUNIDADES 2.0

“THE PLANET”

Malware (2000 – 2004)

*MORFISMO,

2001 : SADMIN, CODE RED I - II, KEYLOGGERS

NIMDA.. RATS

2002 : SIMILE , MYLIFE (OUTLOOK) MOBILE

OPTIX PRO, BEAST

2003 : SLAMMER (SQL),

BLASTER VELOCIDAD DE ACTUALIZACIÓN

2004 : BAGLE, NETSKY, CABIR, HEURÍSTICA

NUCLEUS , ADWARE ANTI-EVASIÓN

ANTIVIRUS -> ANTIMALWARE

Revolución industrial (2005 – 2014)

‣ GRUPOS ORGANIZADOS / “””NUEVOS””” ACTORES ‣ ESPECIALIZACIÓN/DIVERSIFICACIÓN : PROFESIONALIZACIÓN ‣ NUEVOS MODELOS DE NEGOCIO (FaaS) ‣ INFRAESTRUCTURAS DE SOPORTE ‣ OBJETIVOS (SISTEMAS DE CONTROL INDUSTRIAL) ‣ ESQUEMAS: SOFISTICACIÓN Y AGRESIVIDAD

Phishing

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication

Phishing

Pharming Spear phishing ¿Phishing 2.0? SERVICIOS

SAM

RDP

Socks

VPN BULLETPROOF HOSTING

Malware (2005-2014)

‣ 2007 : ZEUS

‣ 2008 : TORPIG, GPCode , CONFICKER

‣ 2009 : CLAMPI

‣ 2010 : TDSS,ALUREON, STUXNET

‣ 2011 : SPYEYE + ZEUS, LEAKS, DUQU, CARBERP, ROGUEWARE (FAKEAV´S)

‣ 2012 : FLAME/SKYWIPER, SHAMOON, BITCOIN MINERS

‣ 2013/2014 : ATM MALWARE, POS, RANSOMWARE ROGUEWARE

Ransomware Cryptolockers !!

Denegación de servicio DOS AS A SERVICE

TROYANOS BANCARIOS CAPTURAS DE PANTALLA Virtual keyboard

PHARMING PHISHING KEYLOGGING Code card ID + Password MITB FORM GRABBING OTP Token INYECCIÓN DE CÓDIGO SMS : mTAN

Source Code leaks

“Single” Infraestructure DGA – Zeus P2P DGA – Zeus P2P

C&C Tracking

2 cases

Analyzing

Sinowal

and

Tatanga Sinowal injection Man in the Browser Intelligence in money extraction Tatanga behaviour Compromised machine Social engineering E LUUUK INVESTIGATION

TRANSACTION LOGS

+500,000 € MULEROS

13test 14smallings The limit that the mules included in this group The limit that the drops in this group can accept can accept is between 40,000 and 50,000 Euros, is between 1,750 and 2,000 Euros. although there are drops in this group that shows different limits, between 20,000 and 30,000.

14test 16smallings The limit that the drops included in this group can The limit that the drops in this group can accept is accept is between 15,000 and 20,000 Euros, between 1,750 and 2,000 Euros, although there are although there are drops in this group that shows drops in this group that can accept a quantity different limits, between 45,000 and 50,000. between 2,500 and 3,000 Euros (as the group 14smallings). MULEROS

MONEY MULES

PIRÁMIDE DE AMENAZAS — 2015

0.1% Armas cibernéticas

9.9% Amenazas dirigidas

Delitos tradicionales 90% Amenazas Dirigidas

Threat Duqu Flame Gauss miniFlame Red October NetTraveler Careto / The Mask Classification Cyber-espionage Cyber-espionage Cyber-espionage Cyber-espionage Cyber-espionage Series of cyber- Extremely sophisticated malware malware malware malware campaign espionage cyber-espionage campaign campaigns Detection September 2011 May 2012 July 2012 October 2012 January 2013 May 2013 February 2014 Active Since 2010 Since 2007 Since 2011 Since 2012 Since 2007 Since 2004 Since 2007 Facts • Sophisticated • More than 600 • Sophisticated • Miniature yet • One of the first • 350 high • 1000+ victims in Trojan specific targets toolkit with fully-fledged massive espionage profile victims 31 countries modules spyware module campaigns in 40 countries • Acts as a • Can spread over perform a conducted on • Complex toolset backdoor a local network variety • Used for highly a global scale • Exploits known with malware, into a system or of functions targeted attacks vulnerabilities rootkit, bootkit via a USB stick • Targeted • Facilitates the • The vast • Works as stand- diplomatic and • Directed at private • Versions for theft of private • Records majority of alone malware governmental companies, Windows, Mac OS X, information screenshots, victims were or as a plug-in agencies industry and Linux audio, keyboard for Flame research facilities, located in • Considered one activity and Lebanon • Russian language governmental network traffic text in the code agencies of the most notes advanced APTs ever GAUSS - 2012

LOADER AND LOADER AND COMMUNICATION COMMUNICATI MODULE ON MODULE

LOADER AND LOADER AND COMMUNICATI COMMUNICATION ON MODULE MODULE

LOADER AND COMMUNICATION MODULE RELACIONES

RED OCTOBER - 2013

CVE-2009-3129 CVE-2010-3333 CVE-2012-0158

CVE-2011-3544

REGIN

DESSERT FALCONS

EQUATIONAPT - 2015

‣ EQUATIONDRUG ‣ DOUBLEFANTASY ‣ EQUESTRE ‣ TRIPLEFANTASY ‣ GRAYFISH ‣ FANNY ‣ EQUATIONLASER

PIRÁMIDA DE AMENAZAS

0.1% Armas cibernéticas

9.9% Amenazas dirigidas

Delitos tradicionales 90% Thank you!

Dani Creus | @them0ux Marc Rivero | @seifreed dani.creus at kaspersky dot com [email protected] more : securelist.com more : ecrime.info