Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Dutch Banking Malware Gang Busted: Bitcoin's Role

Dutch police arrest four men on charges of using TorRAT banking malware to steal an estimated $1.4 million from consumers. They allegedly laundered the funds using the cryptographic currency known as Bitcoins.

Dutch cybercrime police last week busted four men on charges that they used the banking malware known as TorRAT to steal an estimated $1.4 million from consumers, which they allegedly laundered using the cryptographic currency known as Bitcoins.

TorRAT is a remote-access Trojan (RAT), designed to steal online banking information, which receives command-and-control (C&C) instructions via the anonymizing Tor network. By using Tor, the botnet's operators can disguise the commands they send to infected PCs and hide the flow of stolen data being transmitted from infected PCs to attacker-controlled servers.

The Windows malware was distributed in part via hacked Twitter feeds, but largely via phishing attacks written in Dutch that targeted online banking users in the Netherlands. "Users fell victim to this threat by clicking fake invoices in specially crafted spammed messages," said Trend Micro senior threat researcher Feike Hacquebord in a blog post. "These invoices did not have the usual grammar and spelling errors like the ones in typical spam runs sent by fellow con men who are not native speakers."

Police said the TorRAT gang coordinated their operations using Tor Mail -- which was designed to provide users with anonymous, private communications -- and ultimately stole funds from at least 150 Dutch bank accounts.

[ Why should consumers be forced to clean up when their personal data is breached? Read Experian Breach Fallout: ID Theft Nightmares Continue. ]

Stealing victims' money was the easy part. Actually converting it to cash was much more difficult, and a single mistake might leave clues that authorities could trace back to the gang members' real identity. "It is relatively straightforward to manipulate bank transactions on an infected computer. But you need mules for laundering stolen money," said Hacquebord. "The Dutch gang allegedly laundered money through Bitcoin transactions and even set up their own Bitcoin exchange service -- FBTC Exchange -- that went dark after the arrests."

The Dutch investigation also resulted in police seizing from the TorRAT gang 56 Bitcoins, which authorities exchanged for over 7,700 euros ($10,000).

How did Dutch computer crime police trace the men? While authorities haven't revealed what tipped them off, the arrests may have resulted directly from an FBI sting operation earlier this year that resulted in the arrest in Dublin of 28-year-old Eric Eoin Marques on child pornography distribution charges. Marques was also accused of being the operator of Freedom Hosting, which hosted multiple anonymous Tor software services, including Tor Mail, although the hosting service wasn't affiliated with the Tor Project.

The FBI apparently hacked into the Freedom Hosting site and made it serve malware that targeted a bug -- since patched -- in the Firefox browser that underpins the Tor Browser Bundle (TBB), which is the easiest way to access the anonymizing Tor network. The malware planted a tracking ID onto a TBB-using PC, which allowed the FBI to trace the IP address for the computer, helping it identify the user. Accordingly, the FBI may have shared the real IP addresses of the alleged Tor Mail-using TorRAT gang members with Dutch police.

Last week's takedown of the alleged TorRAT gang also followed the arrest earlier this month of Ross William Ulbricht, 29. The FBI accused Ulbricht, aka Dread Pirate Roberts, of running the notorious online narcotics marketplace known as the Silk Road. Reachable only via the Tor network, the site generated more than $1.2 billion in sales and $80 million in commissions during the more than two years in which it operated, authorities estimated. But even the combination of using Bitcoins as currency and the Tor network to hide participants' identities didn't prevent the FBI from tracing transactions back to the online marketplace's alleged owner.

Last week, the FBI announced that it had seized a second stash of Bitcoins belonging to Ulbricht, which brought the total number of seized Bitcoins to 173,991. At current Bitcoin exchange rates, they would be worth more than $34.1 million.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9405
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated reflected XSS via the redirect page.
CVE-2020-9406
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows unauthenticated eval injection via the queryBCP method of the Auxiliary Service.
CVE-2020-9407
PUBLISHED: 2020-02-26
IBL Online Weather before 4.3.5a allows attackers to obtain sensitive information by reading the IWEBSERVICE_JSONRPC_COOKIE cookie.
CVE-2020-9398
PUBLISHED: 2020-02-25
ISPConfig before 3.1.15p3, when the undocumented reverse_proxy_panel_allowed=sites option is manually enabled, allows SQL Injection.
CVE-2015-5201
PUBLISHED: 2020-02-25
VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows r...