• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

McDonald’s job app exposes data of 64 Million applicants

 | 

Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

 | 

U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

 | 

UK NCA arrested four people over M&S, Co-op cyberattacks

 | 

PerfektBlue Bluetooth attack allows hacking infotainment systems of Mercedes, Volkswagen, and Skoda

 | 

Qantas data breach impacted 5.7 million individuals

 | 

DoNot APT is expanding scope targeting European foreign ministries

 | 

Nippon Steel Solutions suffered a data breach following a zero-day attack

 | 

Iranian group Pay2Key.I2P ramps Up ransomware attacks against Israel and US with incentives for affiliates

 | 

Hackers weaponize Shellter red teaming tool to spread infostealers

 | 

Microsoft Patch Tuesday security updates for July 2025 fixed a zero-day

 | 

Italian police arrested a Chinese national suspected of cyberespionage on a U.S. warrant

 | 

U.S. CISA adds MRLG, PHPMailer, Rails Ruby on Rails, and Synacor Zimbra Collaboration Suite flaws to its Known Exploited Vulnerabilities catalog

 | 

IT Worker arrested for selling access in $100M PIX cyber heist

 | 

New Batavia spyware targets Russian industrial enterprises

 | 

Taiwan flags security risks in popular Chinese apps after official probe

 | 

U.S. CISA adds Google Chromium V8 flaw to its Known Exploited Vulnerabilities catalog

 | 

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Cyber Crime
  • Malware
  • Group-IB detected malware that hit Russian stock-trading platform

Group-IB detected malware that hit Russian stock-trading platform

Pierluigi Paganini April 20, 2013

Security firm Group-IB has detected a new variant of malware that targets the popular Russian stock-trading platform QUIK (Quik Broker, Quik Dealer) provided by Russian software developers ARQA Technologies. The malware has been used during various attacks staring in last November (2012) with the purpose to gather detailed information on the respective owners of the accounts.

Quik_platform

Quik_platform_2

As revealed by security experts at Group-IB what is considered “anomalous ” is the interest of attackers in high profile banking accounts, traditionally hackers try to compromise private and corporate banking accounts to steal funds and Corporate accounts represents an ideal, but difficult target, due higher balances.

All were started last year when Group-IB gathered information on numerous incident fraud on popular online trading and stock brokerages.

On the other hand large scale banking fraud schema has exploited the capabilities of popular malware such as Spy Eye and Zeus that keystrokes and extract banking account information from victims.

Fraudsters seem to have changed strategy beginning to use malware developed by black hat coders that developed a strain of malware specialized on QUIK trading platform and FOCUS IVonline from New York-based EGAR Technology.

Both platforms are used by principal banks including Russian Alfa-Bank, Promsvyazbank and Sberbank and both are used for trading on Russian stock exchange MICEX that offers various financial services including placing and trading stocks, listing securities, and even the facility to set up initial public offerings (IPOs) or company flotations.

The malware is a smart agent that once infected the victims verify the presence of the trading software to monitor the victim’s operation capturing screenshots and intercepting credentials which are sent back to the C&C server.

“Some of such data was extracted by elite Group-IB specialists in handling the C&C servers, and then some monitoring by Group-IB Bot-Trek returns victim information.”

Andrey Komarov, the head of international projects at  Andrey Komarov of Group-IB confirmed that the malware use against the trading platforms is a variant of the Ranbyus spyware, a malicious code used against windows users to steal online banking credentials.

“It has quite similar functions to Zeus, as it uses a VNC spawning module which helps the hacker to be connected to the infected PC absolutely remotely and to do fraud silently, that’s why it won’t be detected by anti-fraud filters, as the theft will happen from the same IP address,” Komarov explained.

I directly contacted Andrey Komarov, following an excerpt of our conversation:

Did you face with such kind of threats before? Were the any known incidents on such cases?

Yes, we did. Especially, targeted on foreign stock-exchange trading companies, mostly US and CA, such as Ameritrade, Scottrade, Etrade, Fidelity and Schwab.
Is it trading application’s vendor’s fault? What can you recommend for them to make the security of their end-customers more efficient?
No, it is not. Firstly, because of that this malware acts like standard banking trojans with remote control patching or spawning modules, which are absolutely invisible for the vendor and service side. Secondly, the type of the theft is quite similar to modern online-banking theft, that’s why the vector of the attack in real is standard, not specific.
What the hackers do with theft credentials? Is it easy to cash out the funds from such kind of trading accounts?
There are special schemes they use to sell / buy new things on stock and then to transfer it to own account and then cash out if it is a personal trading account. If it is corporate one, the same things can happen between 2 corporate accounts or special fraudulent scheme can be used.
Did you find the hackers involved in it?
Yes, we did. For now, we use this information for our internal investigations with several banks affected by this malware. As an example, I can name several past cases with involvement of Russian hackers, such as Petr Murmuluk, who theft more than 1 000 000$ from the US stock-exchange and trading companies.
Another example is Eugene Simonov – another hacker, who was arrested, not a lot of information you can find about him in WEB, there are no links in English about him, but we have found out some links with him in regard of the past incidents. Possibly, the same group continued to work on the same things. I can provide you rough translation about that case, we called it “Yoshkar-Ola malware”, Yoshkar-Ola is the city where he lived: “Hacker attacks have occurred in Russia, although brokers use technology more secure transactions than the popular U.S. Operations through the web interface (thin client). But a resident of Yoshkar-Ola Yevgeny Simonov managed to bypass security and robbed customers Permian broker nearly two million rubles by the virus, created for QUIK. The hacker gained access to users’ computers and selling “illiquid” futures from their accounts to their under-priced, actually transforming itself money. Typically, the client downloads the virus itself, for example by using illegal software or unreliable links. Traders can get them through the library with indicators with an embedded malicious code (usually the language programs. NET and Java). An attacker uses a standard scheme with illiquid securities or derivatives. Usually a hacker gets in his name shares of the issuer of any third tier. With access to the investor’s account, with his money, he starts to buy these securities. Due to the low liquidity quotes immediately take off, but “at the peak of the market” is selling his own stake. Once the artificial recharge of demand disappears, prices immediately returned to the original level, and cheapened “illiquid” settles the accounts of unsuspecting victims.”

Ranbyus spyware is not the only one cyber threat that menaced the “precious” platforms, QUIK has been attacked by the Trojan, Broker-J that instead of spy on user operations steals encryption keys from the application storage and transfers them to attackers.

Vladimir Kurlyandchik, head of business development at ARQA Technologies recommended customers to install defense systems and keep them updated, he also invites the clients to alert the company in case of suspicious activities discovered:

“In case of any suspicions of unauthorized  access to an account the end user should immediately initiate the procedure of changing access keys. It is also our standard recommendation,”

Beware of cybercrime does not forgive oversights!

Pierluigi Paganini

(Security Affairs – Cybercrime, Malware)


facebook linkedin twitter

Group-IB malware QUIK Ranbyus spywware

you might also like

Pierluigi Paganini July 11, 2025
Athlete or Hacker? Russian basketball player accused in U.S. ransomware case
Read more
Pierluigi Paganini July 10, 2025
UK NCA arrested four people over M&S, Co-op cyberattacks
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Security Affairs newsletter Round 532 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 13, 2025

    McDonald’s job app exposes data of 64 Million applicants

    Hacking / July 12, 2025

    Athlete or Hacker? Russian basketball player accused in U.S. ransomware case

    Cyber Crime / July 11, 2025

    U.S. CISA adds Citrix NetScaler ADC and Gateway flaw to its Known Exploited Vulnerabilities catalog

    Hacking / July 11, 2025

    UK NCA arrested four people over M&S, Co-op cyberattacks

    Cyber Crime / July 10, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT