A collaborative effort between a Russian security company and two Russian federal agencies has yielded the arrest of eight men allegedly involved in the Carberp Trojan scam, it was announced today.

Officials from Russia’s Ministry of Internal Affairs (MVD) and Federal Security Service (FSB), along with Group-IB, an investigative security firm also based out of Russia, had been working since November 2010 to bring down the cyber criminals. Investigators were able to finger the head of the gang in January 2011 but it took another 14 months to track down each accomplice, according to a press release (translated) on the MVD’s site. The agency estimates the group made off with 60 million rubles, or roughly $2 million, through 90 thefts total.

Authorities searched the apartments of two brothers, both residents of Moscow, who are believed to be responsible for managing the Carberp scam. They confiscated computer equipment that was used to spread the malicious programs as well as what is described as “a large number of bank cards,” “funds amounting to more than seven and a half million rubles” ($256,000) and reams of fake documentation. 

Both brothers are in their thirties and will face trial. The younger sibling, who played a key role in the thefts, will remain in custody while the elder sibling is being kept on three million rubles bail. A remaining six members will remain under house arrest, according to the Ministry release, but if convicted, all eight members of the gang could face up to 10 years in prison.

The scammers executed distributed denial of service (DDoS) attacks, hacked websites, infected them with malware (Win32/Carberp and Win32/Rdpdor) and extracted funds from accounts using information lifted from each computer.

“Our experts did an enormous amount of work, which resulted in identifying the head of this criminal group, the owner and operator of a specialized banking botnet, identifying the control servers, and identifying the directing of traffic from popular websites in order to spread malware infection,” said Ilya Sachkov, Group-IB’s CEO on the bust.

The Carberp malware is a simple Trojan designed to steal victims’ banking credentials at first, but eventually began to implement its own defenses. New iterations of the malware killed off other types of malware, targeted anti-malware software and even encrypted its own traffic, according to research done by computer security firm Seculert.

Carberp mostly thrived in Russia, in fact infection rates even doubled from month to month at one point last fall after it meshed with the Black Hole exploit kit. This was before the malware began targeting Facebook users earlier this year, tricking some into paying attackers to unlock their profiles.

Categories: Malware