Pierluigi Paganini April 20, 2013

Security firm Group-IB has detected a new variant of malware that targets the popular Russian stock-trading platform QUIK (Quik Broker, Quik Dealer) provided by Russian software developers ARQA Technologies. The malware has been used during various attacks staring in last November (2012) with the purpose to gather detailed information on the respective owners of the accounts.

As revealed by security experts at Group-IB what is considered “anomalous ” is the interest of attackers in high profile banking accounts, traditionally hackers try to compromise private and corporate banking accounts to steal funds and Corporate accounts represents an ideal, but difficult target, due higher balances.

All were started last year when Group-IB gathered information on numerous incident fraud on popular online trading and stock brokerages.

On the other hand large scale banking fraud schema has exploited the capabilities of popular malware such as Spy Eye and Zeus that keystrokes and extract banking account information from victims.

Fraudsters seem to have changed strategy beginning to use malware developed by black hat coders that developed a strain of malware specialized on QUIK trading platform and FOCUS IVonline from New York-based EGAR Technology.

Both platforms are used by principal banks including Russian Alfa-Bank, Promsvyazbank and Sberbank and both are used for trading on Russian stock exchange MICEX that offers various financial services including placing and trading stocks, listing securities, and even the facility to set up initial public offerings (IPOs) or company flotations.

The malware is a smart agent that once infected the victims verify the presence of the trading software to monitor the victim’s operation capturing screenshots and intercepting credentials which are sent back to the C&C server.

“Some of such data was extracted by elite Group-IB specialists in handling the C&C servers, and then some monitoring by Group-IB Bot-Trek returns victim information.”

Andrey Komarov, the head of international projects at  Andrey Komarov of Group-IB confirmed that the malware use against the trading platforms is a variant of the Ranbyus spyware, a malicious code used against windows users to steal online banking credentials.

“It has quite similar functions to Zeus, as it uses a VNC spawning module which helps the hacker to be connected to the infected PC absolutely remotely and to do fraud silently, that’s why it won’t be detected by anti-fraud filters, as the theft will happen from the same IP address,” Komarov explained.

I directly contacted Andrey Komarov, following an excerpt of our conversation:

Did you face with such kind of threats before? Were the any known incidents on such cases?

Yes, we did. Especially, targeted on foreign stock-exchange trading companies, mostly US and CA, such as Ameritrade, Scottrade, Etrade, Fidelity and Schwab.

Is it trading application’s vendor’s fault? What can you recommend for them to make the security of their end-customers more efficient?

No, it is not. Firstly, because of that this malware acts like standard banking trojans with remote control patching or spawning modules, which are absolutely invisible for the vendor and service side. Secondly, the type of the theft is quite similar to modern online-banking theft, that’s why the vector of the attack in real is standard, not specific.

What the hackers do with theft credentials? Is it easy to cash out the funds from such kind of trading accounts?

There are special schemes they use to sell / buy new things on stock and then to transfer it to own account and then cash out if it is a personal trading account. If it is corporate one, the same things can happen between 2 corporate accounts or special fraudulent scheme can be used.

Did you find the hackers involved in it?

Yes, we did. For now, we use this information for our internal investigations with several banks affected by this malware. As an example, I can name several past cases with involvement of Russian hackers, such as Petr Murmuluk, who theft more than 1 000 000$ from the US stock-exchange and trading companies.

Another example is Eugene Simonov – another hacker, who was arrested, not a lot of information you can find about him in WEB, there are no links in English about him, but we have found out some links with him in regard of the past incidents. Possibly, the same group continued to work on the same things. I can provide you rough translation about that case, we called it “Yoshkar-Ola malware”, Yoshkar-Ola is the city where he lived: “Hacker attacks have occurred in Russia, although brokers use technology more secure transactions than the popular U.S. Operations through the web interface (thin client). But a resident of Yoshkar-Ola Yevgeny Simonov managed to bypass security and robbed customers Permian broker nearly two million rubles by the virus, created for QUIK. The hacker gained access to users’ computers and selling “illiquid” futures from their accounts to their under-priced, actually transforming itself money. Typically, the client downloads the virus itself, for example by using illegal software or unreliable links. Traders can get them through the library with indicators with an embedded malicious code (usually the language programs. NET and Java). An attacker uses a standard scheme with illiquid securities or derivatives. Usually a hacker gets in his name shares of the issuer of any third tier. With access to the investor’s account, with his money, he starts to buy these securities. Due to the low liquidity quotes immediately take off, but “at the peak of the market” is selling his own stake. Once the artificial recharge of demand disappears, prices immediately returned to the original level, and cheapened “illiquid” settles the accounts of unsuspecting victims.”

Ranbyus spyware is not the only one cyber threat that menaced the “precious” platforms, QUIK has been attacked by the Trojan, Broker-J that instead of spy on user operations steals encryption keys from the application storage and transfers them to attackers.

Vladimir Kurlyandchik, head of business development at ARQA Technologies recommended customers to install defense systems and keep them updated, he also invites the clients to alert the company in case of suspicious activities discovered:

“In case of any suspicions of unauthorized  access to an account the end user should immediately initiate the procedure of changing access keys. It is also our standard recommendation,”

Beware of cybercrime does not forgive oversights!

Pierluigi Paganini

(Security Affairs – Cybercrime, Malware)