Cyber Crime

The dangerous interaction between Russian and Brazilian cyber criminal underground

Kaspersky has analyzed the interaction between the Russian and Brazilian criminal underground communities revealing a dangerous interaction.

In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (RussiaBrazilNorth AmericaJapanChinaGermany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.

Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.

The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kitsATM or PoS malware and also hacking services.

The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.

“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.

The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.

“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.

The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.

Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.

Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).

The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.

“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.

“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.

“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”

I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.

Pierluigi Paganini

(Security Affairs – Brazilian underground, Russian underground)

[adrotate banner=”9″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

10 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

17 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.