The use of off-the-shelf keyloggers/RATs like Predator Pain and Limitless doesn’t impact the illicit activities of criminal crews, in many cases, crooks prefer to invest more time and effort instead of using automated malware that results anyway more expensive.

“The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money,” Flores said. “These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.”

The monitoring on several Predator Pain and Limitless attacks allowed the experts to track the used of these tools, in particular the findings revealed that a significant portion of operators was involved in utilizing the following:

• The 419 or Nigerian scams through easy-to-deploy, high-volume attacks
• Scammed corporate emails that convince recipients to deposit payment to specially crafted accounts

419 scammers are considered within more lucrative activities on a large scale that benefit of the malware to hit exclusively SMBs. SMBs are more exposed to external attacks due to the lack of an efficient security posture and dedicated IT security staff.

“SMBs may not be involved in multimillion-dollar deals, but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”

The common attack scenario based on these malicious code sstart sending out classic phishing emails to publicly listed email addresses. The attackers attach the keylogger to the email, once the victims install it the malware silently steal user data, including system screenshots, keystrokes, browser-cached account credentials, and sends information back to the command and control servers via email, FTP, or Web panel (PHP).

“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities. Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to “hijack” ongoing transactions between their chosen victims and their clients” states the paper referring the postinfection activities.

The report highlights that stolen data could be used later for further attacks against victims and could be sold in the underground to other criminal organization, personal data and sensitive information are a precious commodity in the underground.

The most scaring aspect of the analysis made by researchers on the use of Predator Pain and Limitless is that criminal gangs are targeting SMBs (small and medium-sized businesses) considered vulnerable targets by the gangs that aim to realize rapid gains exploiting the lack of awareness of general IT security best practices.

The “Predator Pain and Limitless When Cybercrime Turns into Cyberspying” is another excellent analysis conducted by the researchers at TrendMicro, don’t miss this report.

Pierluigi Paganini

(Security Affairs –  Predator Pain and Limitless keyloggers, keyloggers/RAT)