The millionaire business behind the use of Limitless and Predator Pain Keylogger/RATs in the criminal ecosystems

Cybercriminals ordinary use malicious code to steal money from victims, the number of malware available in the criminal ecosystem is continuously growing, their level of sophistication and cost are extremely variable. Thinking of banking malware, Zeus and SpyEye are probably the most popular, but represent the tip of the iceberg, in the underground it is possible to acquire low-priced malware that anyway can ensure to fraudsters substantial gains.

Security experts are aware that all these malicious code, if in the “right” hands, can bring in an astounding amount of money and create huge losses to the collectivity.

Security experts at TrendMicro have published an interesting paper on the operations behind Predator Pain and Limitless keyloggers, two low-priced ($40 or less), off-the-shelf keyloggers/RATs that are easy to acquire on the underground forums. The researchers have analyzed both Predator Pain and Limitless keyloggers for only a few months, discovering a surprising reality.

Let’s start from the economic perspective, the cost of these RATs is  $40 or less, but the malware implements similar capabilities with many other data stealer.

Data provided by the Commercial Crime Bureau of Hong Kong Police Force reveals that cybercriminals using the above malware against small and medium-sized businesses in Hong Kong have earned more than $75 million in the first half 2014. These data are alarming, if we compare these losses to the economic impact of the Zeus Botnet as explained in the paper:

The use of off-the-shelf keyloggers/RATs like Predator Pain and Limitless doesn’t impact the illicit activities of criminal crews, in many cases, crooks prefer to invest more time and effort instead of using automated malware that results anyway more expensive.

“The tools these fraudsters use are not advanced. Combined, clever targeting, patience, cunning and simple keyloggers have netted these cybercriminals large sums of money,” Flores said. “These highlight that cybercrime activities are dependent not only on the sophistication of the tools used, but on how well organized the entire scheme is. A sophisticated, well-designed scam can net its operators significant sums of money, as seen here.”

The monitoring on several Predator Pain and Limitless attacks allowed the experts to track the used of these tools, in particular the findings revealed that a significant portion of operators was involved in utilizing the following:

• The 419 or Nigerian scams through easy-to-deploy, high-volume attacks
• Scammed corporate emails that convince recipients to deposit payment to specially crafted accounts

419 scammers are considered within more lucrative activities on a large scale that benefit of the malware to hit exclusively SMBs. SMBs are more exposed to external attacks due to the lack of an efficient security posture and dedicated IT security staff.

“SMBs may not be involved in multimillion-dollar deals, but they do conduct transactions worth tens to hundreds of thousands of dollars,” the researchers noted. “As the world relies more and more on Web services (e.g., webmail), all it will take to ruin a business is a single compromised online account.”

The common attack scenario based on these malicious code sstart sending out classic phishing emails to publicly listed email addresses. The attackers attach the keylogger to the email, once the victims install it the malware silently steal user data, including system screenshots, keystrokes, browser-cached account credentials, and sends information back to the command and control servers via email, FTP, or Web panel (PHP).

“Attackers, after obtaining access to infected computers and the credentials stored in them, sit on a gold mine of information that they can use for various criminal and fraudulent activities. Successfully stealing online banking credentials can lead to financial theft. Some of the stolen information provide attackers more leverage for subsequent attacks. They can, for instance, get their hands on actual emails and use these to “hijack” ongoing transactions between their chosen victims and their clients” states the paper referring the postinfection activities.

The report highlights that stolen data could be used later for further attacks against victims and could be sold in the underground to other criminal organization, personal data and sensitive information are a precious commodity in the underground.

The most scaring aspect of the analysis made by researchers on the use of Predator Pain and Limitless is that criminal gangs are targeting SMBs (small and medium-sized businesses) considered vulnerable targets by the gangs that aim to realize rapid gains exploiting the lack of awareness of general IT security best practices.

The “Predator Pain and Limitless When Cybercrime Turns into Cyberspying” is another excellent analysis conducted by the researchers at TrendMicro, don’t miss this report.

Pierluigi Paganini

(Security Affairs –  Predator Pain and Limitless keyloggers, keyloggers/RAT)