Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Dutch Banking Malware Gang Busted: Bitcoin's Role

Dutch police arrest four men on charges of using TorRAT banking malware to steal an estimated $1.4 million from consumers. They allegedly laundered the funds using the cryptographic currency known as Bitcoins.

Dutch cybercrime police last week busted four men on charges that they used the banking malware known as TorRAT to steal an estimated $1.4 million from consumers, which they allegedly laundered using the cryptographic currency known as Bitcoins.

TorRAT is a remote-access Trojan (RAT), designed to steal online banking information, which receives command-and-control (C&C) instructions via the anonymizing Tor network. By using Tor, the botnet's operators can disguise the commands they send to infected PCs and hide the flow of stolen data being transmitted from infected PCs to attacker-controlled servers.

The Windows malware was distributed in part via hacked Twitter feeds, but largely via phishing attacks written in Dutch that targeted online banking users in the Netherlands. "Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages," said Trend Micro senior threat researcher Feike Hacquebord in a blog post. "These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers."

Police said the TorRAT gang coordinated their operations using Tor Mail -- which was designed to provide users with anonymous, private communications -- and ultimately stole funds from at least 150 Dutch bank accounts.

[ Why should consumers be forced to clean up when their personal data is breached? Read Experian Breach Fallout: ID Theft Nightmares Continue. ]

Stealing victims' money was the easy part. Actually converting it to cash was much more difficult, and a single mistake might leave clues that authorities could trace back to the gang members' real identity. "It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money," said Hacquebord. "The Dutch gang allegedly laundered money through Bitcoin transactions and even set up their own Bitcoin exchange service -- FBTC Exchange -- that went dark after the arrests."

The Dutch investigation also resulted in police seizing from the TorRAT gang 56 Bitcoins, which authorities exchanged for over 7,700 euros ($10,000).

How did Dutch computer crime police trace the men? While authorities haven't revealed what tipped them off, the arrests may have resulted directly from an FBI sting operation earlier this year that resulted in the arrest in Dublin of 28-year-old Eric Eoin Marques on child pornography distribution charges. Marques was also accused of being the operator of Freedom Hosting, which hosted multiple anonymous Tor software services, including Tor Mail, although the hosting service wasn't affiliated with the Tor Project.

The FBI apparently hacked into the Freedom Hosting site and made it serve malware that targeted a bug -- since patched -- in the Firefox browser that underpins the Tor Browser Bundle (TBB), which is the easiest way to access the anonymizing Tor network. The malware planted a tracking ID onto a TBB-using PC, which allowed the FBI to trace the IP address for the computer, helping it identify the user. Accordingly, the FBI may have shared the real IP addresses of the alleged Tor Mail-using TorRAT gang members with Dutch police.

Last week's takedown of the alleged TorRAT gang also followed the arrest earlier this month of Ross William Ulbricht, 29. The FBI accused Ulbricht, aka Dread Pirate Roberts, of running the notorious online narcotics marketplace known as the Silk Road. Reachable only via the Tor network, the site generated more than $1.2 billion in sales and $80 million in commissions during the more than two years in which it operated, authorities estimated. But even the combination of using Bitcoins as currency and the Tor network to hide participants' identities didn't prevent the FBI from tracing transactions back to the online marketplace's alleged owner.

Last week, the FBI announced that it had seized a second stash of Bitcoins belonging to Ulbricht, which brought the total number of seized Bitcoins to 173,991. At current Bitcoin exchange rates, they would be worth more than $34.1 million.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15943
PUBLISHED: 2019-09-19
vphysics.dll in Counter-Strike: Global Offensive before 1.37.1.1 allows remote attackers to achieve code execution or denial of service by creating a gaming server and inviting a victim to this server, because a crafted map is mishandled during a memset call.
CVE-2019-16413
PUBLISHED: 2019-09-19
An issue was discovered in the Linux kernel before 5.0.4. The 9p filesystem did not protect i_size_write() properly, which causes an i_size_read() infinite loop and denial of service on SMP systems.
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.