The millionaire business behind the use of Limitless and Predator Pain Keylogger/RATs in the criminal ecosystems

Pierluigi Paganini November 13, 2014

Trend Micro issued a research paper on operations behind Predator Pain and Limitless keyloggers, both of which are easily obtainable from underground.

Cybercriminals ordinary use malicious code to steal money from victims, the number of malware available in the criminal ecosystem is continuously growing, their level of sophistication and cost are extremely variable. Thinking of banking malware, Zeus and SpyEye are probably the most popular, but represent the tip of the iceberg, in the underground it is possible to acquire low-priced malware that anyway can ensure to fraudsters substantial gains.
Security experts are aware that all these malicious code, if in the “right” hands, can bring in an astounding amount of money and create huge losses to the collectivity.
Security experts at TrendMicro have published an interesting paper on the operations behind Predator Pain and Limitless keyloggers, two low-priced ($40 or less), off-the-shelf keyloggers/RATs that are easy to acquire on the underground forums. The researchers have analyzed both Predator Pain and Limitless keyloggers for only a few months, discovering a surprising reality.
Predator Pain and Limitless screeshot
Predator Pain and Limitless screeshot 2
Let’s start from the economic perspective, the cost of these RATs is  $40 or less, but the malware implements similar capabilities with many other data stealer.
“Predator Pain and Limitless have the capability to steal a lot of information and exfiltrate them back to the cybercriminals. These are off-the-shelf tools and are easily obtainable for US$40 or less in underground forums orwebsites run by their creators.”  “Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities,” the researchers explain in a whitepaper.
Data provided by the Commercial Crime Bureau of Hong Kong Police Force reveals that cybercriminals using the above malware against small and medium-sized businesses in Hong Kong have earned more than $75 million in the first half 2014. These data are alarming, if we compare these losses to the economic impact of the Zeus Botnet as explained in the paper:
“Consider: this means that cybercriminals in a single city, within six-months, equaled all the losses from Zbot up to the present,” Trend Micro senior threat researcher Ryan Flores pointed out. “Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved,” he explained.
Predator Pain and Limitless graph
“In fact, in Hong Kong alone, the estimated loss resulting from corporate email fraud has increased 491% from 2012 to 2013 and 180% from 2013 to 2014. As of June 2014, the total reported loss amounted to HK$565.5 million (approximately US$73 million).”
Predator Pain and Limitless Comparison

The use of off-the-shelf keyloggers/RATs like Predator Pain and Limitless doesn’t impact the illicit activities of criminal crews, in many cases, crooks prefer to invest more time and effort instead of using automated malware that results anyway more expensive.

“The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money,” Flores said. “These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.”

The monitoring on several Predator Pain and Limitless attacks allowed the experts to track the used of these tools, in particular the findings revealed that a significant portion of operators was involved in utilizing the following:

  • The 419 or Nigerian scams through easy-to-deploy, high-volume attacks
  • Scammed corporate emails that convince recipients to deposit payment to specially crafted accounts

419 scammers are considered within more lucrative activities on a large scale that benefit of the malware to hit exclusively SMBs. SMBs are more exposed to external attacks due to the lack of an efficient security posture and dedicated IT security staff.

“SMBs may not be involved in multimillion-dollar deals, but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”

The common attack scenario based on these malicious code sstart sending out classic phishing emails to publicly listed email addresses. The attackers attach the keylogger to the email, once the victims install it the malware silently steal user data, including system screenshots, keystrokes, browser-cached account credentials, and sends information back to the command and control servers via email, FTP, or Web panel (PHP).

“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities. Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to “hijack” ongoing transactions between their chosen victims and their clients” states the paper referring the postinfection activities.

The report highlights that stolen data could be used later for further attacks against victims and could be sold in the underground to other criminal organization, personal data and sensitive information are a precious commodity in the underground.

The most scaring aspect of the analysis made by researchers on the use of Predator Pain and Limitless is that criminal gangs are targeting SMBs (small and medium-sized businesses) considered vulnerable targets by the gangs that aim to realize rapid gains exploiting the lack of awareness of general IT security best practices.

The “Predator Pain and Limitless When Cybercrime Turns into Cyberspying” is another excellent analysis conducted by the researchers at TrendMicro, don’t miss this report.

Pierluigi Paganini

(Security Affairs –  Predator Pain and Limitless keyloggers, keyloggers/RAT)

you might also like

leave a comment