Attacks/Breaches

10/28/2013
11:51 AM
50%
50%

Dutch Banking Malware Gang Busted: Bitcoin's Role

Dutch police arrest four men on charges of using TorRAT banking malware to steal an estimated $1.4 million from consumers. They allegedly laundered the funds using the cryptographic currency known as Bitcoins.

Dutch cybercrime police last week busted four men on charges that they used the banking malware known as TorRAT to steal an estimated $1.4 million from consumers, which they allegedly laundered using the cryptographic currency known as Bitcoins.

TorRAT is a remote-access Trojan (RAT), designed to steal online banking information, which receives command-and-control (C&C) instructions via the anonymizing Tor network. By using Tor, the botnet's operators can disguise the commands they send to infected PCs and hide the flow of stolen data being transmitted from infected PCs to attacker-controlled servers.

The Windows malware was distributed in part via hacked Twitter feeds, but largely via phishing attacks written in Dutch that targeted online banking users in the Netherlands. "Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages," said Trend Micro senior threat researcher Feike Hacquebord in a blog post. "These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers."

Police said the TorRAT gang coordinated their operations using Tor Mail -- which was designed to provide users with anonymous, private communications -- and ultimately stole funds from at least 150 Dutch bank accounts.

[ Why should consumers be forced to clean up when their personal data is breached? Read Experian Breach Fallout: ID Theft Nightmares Continue. ]

Stealing victims' money was the easy part. Actually converting it to cash was much more difficult, and a single mistake might leave clues that authorities could trace back to the gang members' real identity. "It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money," said Hacquebord. "The Dutch gang allegedly laundered money through Bitcoin transactions and even set up their own Bitcoin exchange service -- FBTC Exchange -- that went dark after the arrests."

The Dutch investigation also resulted in police seizing from the TorRAT gang 56 Bitcoins, which authorities exchanged for over 7,700 euros ($10,000).

How did Dutch computer crime police trace the men? While authorities haven't revealed what tipped them off, the arrests may have resulted directly from an FBI sting operation earlier this year that resulted in the arrest in Dublin of 28-year-old Eric Eoin Marques on child pornography distribution charges. Marques was also accused of being the operator of Freedom Hosting, which hosted multiple anonymous Tor software services, including Tor Mail, although the hosting service wasn't affiliated with the Tor Project.

The FBI apparently hacked into the Freedom Hosting site and made it serve malware that targeted a bug -- since patched -- in the Firefox browser that underpins the Tor Browser Bundle (TBB), which is the easiest way to access the anonymizing Tor network. The malware planted a tracking ID onto a TBB-using PC, which allowed the FBI to trace the IP address for the computer, helping it identify the user. Accordingly, the FBI may have shared the real IP addresses of the alleged Tor Mail-using TorRAT gang members with Dutch police.

Last week's takedown of the alleged TorRAT gang also followed the arrest earlier this month of Ross William Ulbricht, 29. The FBI accused Ulbricht, aka Dread Pirate Roberts, of running the notorious online narcotics marketplace known as the Silk Road. Reachable only via the Tor network, the site generated more than $1.2 billion in sales and $80 million in commissions during the more than two years in which it operated, authorities estimated. But even the combination of using Bitcoins as currency and the Tor network to hide participants' identities didn't prevent the FBI from tracing transactions back to the online marketplace's alleged owner.

Last week, the FBI announced that it had seized a second stash of Bitcoins belonging to Ulbricht, which brought the total number of seized Bitcoins to 173,991. At current Bitcoin exchange rates, they would be worth more than $34.1 million.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
FTC Opens Probe into Equifax Data Breach
Jai Vijayan, Freelance writer,  9/14/2017
Equifax CIO, CSO Step Down
Dark Reading Staff 9/15/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.