Pierluigi Paganini
November 13, 2014
“Predator Pain and Limitless have the capability to steal a lot of information and exfiltrate them back to the cybercriminals. These are off-the-shelf tools and are easily obtainable for US$40 or less in underground forums orwebsites run by their creators.” “Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities,” the researchers explain in a whitepaper.
“Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from Zbot up to the present,” Trend Micro senior threat researcher Ryan Flores pointed out. “Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved,” he explained.
“In fact, in Hong Kong alone, the estimated loss resulting from corporate email fraud has increased 491% from 2012 to 2013 and 180% from 2013 to 2014. As of June 2014, the total reported loss amounted to HK$565.5 million (approximately US$73 million).”
The use of off-the-shelf keyloggers/RATs like Predator Pain and Limitless doesn’t impact the illicit activities of criminal crews, in many cases, crooks prefer to invest more time and effort instead of using automated malware that results anyway more expensive.
“The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money,” Flores said. “These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.”
The monitoring on several Predator Pain and Limitless attacks allowed the experts to track the used of these tools, in particular the findings revealed that a significant portion of operators was involved in utilizing the following:
419 scammers are considered within more lucrative activities on a large scale that benefit of the malware to hit exclusively SMBs. SMBs are more exposed to external attacks due to the lack of an efficient security posture and dedicated IT security staff.
“SMBs may not be involved in multimillion-dollar deals, but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”
The common attack scenario based on these malicious code sstart sending out classic phishing emails to publicly listed email addresses. The attackers attach the keylogger to the email, once the victims install it the malware silently steal user data, including system screenshots, keystrokes, browser-cached account credentials, and sends information back to the command and control servers via email, FTP, or Web panel (PHP).
“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities. Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to “hijack” ongoing transactions between their chosen victims and their clients” states the paper referring the postinfection activities.
The report highlights that stolen data could be used later for further attacks against victims and could be sold in the underground to other criminal organization, personal data and sensitive information are a precious commodity in the underground.
The most scaring aspect of the analysis made by researchers on the use of Predator Pain and Limitless is that criminal gangs are targeting SMBs (small and medium-sized businesses) considered vulnerable targets by the gangs that aim to realize rapid gains exploiting the lack of awareness of general IT security best practices.
The “Predator Pain and Limitless When Cybercrime Turns into Cyberspying” is another excellent analysis conducted by the researchers at TrendMicro, don’t miss this report.
(Security Affairs – Predator Pain and Limitless keyloggers, keyloggers/RAT)
