Categories: Cyber CrimeMalware

Group-IB detected malware that hit Russian stock-trading platform

Security firm Group-IB has detected a new variant of malware that targets the popular Russian stock-trading platform QUIK (Quik Broker, Quik Dealer) provided by Russian software developers ARQA Technologies. The malware has been used during various attacks staring in last November (2012) with the purpose to gather detailed information on the respective owners of the accounts.

As revealed by security experts at Group-IB what is considered “anomalous ” is the interest of attackers in high profile banking accounts, traditionally hackers try to compromise private and corporate banking accounts to steal funds and Corporate accounts represents an ideal, but difficult target, due higher balances.

All were started last year when Group-IB gathered information on numerous incident fraud on popular online trading and stock brokerages.

On the other hand large scale banking fraud schema has exploited the capabilities of popular malware such as Spy Eye and Zeus that keystrokes and extract banking account information from victims.

Fraudsters seem to have changed strategy beginning to use malware developed by black hat coders that developed a strain of malware specialized on QUIK trading platform and FOCUS IVonline from New York-based EGAR Technology.

Both platforms are used by principal banks including Russian Alfa-Bank, Promsvyazbank and Sberbank and both are used for trading on Russian stock exchange MICEX that offers various financial services including placing and trading stocks, listing securities, and even the facility to set up initial public offerings (IPOs) or company flotations.

The malware is a smart agent that once infected the victims verify the presence of the trading software to monitor the victim’s operation capturing screenshots and intercepting credentials which are sent back to the C&C server.

“Some of such data was extracted by elite Group-IB specialists in handling the C&C servers, and then some monitoring by Group-IB Bot-Trek returns victim information.”

Andrey Komarov, the head of international projects at  Andrey Komarov of Group-IB confirmed that the malware use against the trading platforms is a variant of the Ranbyus spyware, a malicious code used against windows users to steal online banking credentials.

“It has quite similar functions to Zeus, as it uses a VNC spawning module which helps the hacker to be connected to the infected PC absolutely remotely and to do fraud silently, that’s why it won’t be detected by anti-fraud filters, as the theft will happen from the same IP address,” Komarov explained.

I directly contacted Andrey Komarov, following an excerpt of our conversation:

Did you face with such kind of threats before? Were the any known incidents on such cases?

Yes, we did. Especially, targeted on foreign stock-exchange trading companies, mostly US and CA, such as Ameritrade, Scottrade, Etrade, Fidelity and Schwab.
Is it trading application’s vendor’s fault? What can you recommend for them to make the security of their end-customers more efficient?
No, it is not. Firstly, because of that this malware acts like standard banking trojans with remote control patching or spawning modules, which are absolutely invisible for the vendor and service side. Secondly, the type of the theft is quite similar to modern online-banking theft, that’s why the vector of the attack in real is standard, not specific.
What the hackers do with theft credentials? Is it easy to cash out the funds from such kind of trading accounts?
There are special schemes they use to sell / buy new things on stock and then to transfer it to own account and then cash out if it is a personal trading account. If it is corporate one, the same things can happen between 2 corporate accounts or special fraudulent scheme can be used.
Did you find the hackers involved in it?
Yes, we did. For now, we use this information for our internal investigations with several banks affected by this malware. As an example, I can name several past cases with involvement of Russian hackers, such as Petr Murmuluk, who theft more than 1 000 000$ from the US stock-exchange and trading companies.
Another example is Eugene Simonov – another hacker, who was arrested, not a lot of information you can find about him in WEB, there are no links in English about him, but we have found out some links with him in regard of the past incidents. Possibly, the same group continued to work on the same things. I can provide you rough translation about that case, we called it “Yoshkar-Ola malware”, Yoshkar-Ola is the city where he lived: “Hacker attacks have occurred in Russia, although brokers use technology more secure transactions than the popular U.S. Operations through the web interface (thin client). But a resident of Yoshkar-Ola Yevgeny Simonov managed to bypass security and robbed customers Permian broker nearly two million rubles by the virus, created for QUIK. The hacker gained access to users’ computers and selling “illiquid” futures from their accounts to their under-priced, actually transforming itself money. Typically, the client downloads the virus itself, for example by using illegal software or unreliable links. Traders can get them through the library with indicators with an embedded malicious code (usually the language programs. NET and Java). An attacker uses a standard scheme with illiquid securities or derivatives. Usually a hacker gets in his name shares of the issuer of any third tier. With access to the investor’s account, with his money, he starts to buy these securities. Due to the low liquidity quotes immediately take off, but “at the peak of the market” is selling his own stake. Once the artificial recharge of demand disappears, prices immediately returned to the original level, and cheapened “illiquid” settles the accounts of unsuspecting victims.”

Ranbyus spyware is not the only one cyber threat that menaced the “precious” platforms, QUIK has been attacked by the Trojan, Broker-J that instead of spy on user operations steals encryption keys from the application storage and transfers them to attackers.

Vladimir Kurlyandchik, head of business development at ARQA Technologies recommended customers to install defense systems and keep them updated, he also invites the clients to alert the company in case of suspicious activities discovered:

“In case of any suspicions of unauthorized  access to an account the end user should immediately initiate the procedure of changing access keys. It is also our standard recommendation,”

Beware of cybercrime does not forgive oversights!

Pierluigi Paganini

(Security Affairs – Cybercrime, Malware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

6 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

20 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.