Cybercrime Gang Recruiting Botmasters for Large-Scale MiTM Attacks on American Banks

A slew of major American banks, some already stressed by a stream of DDoS attacks carried out over the past 10 days, may soon have to brace themselves for a large-scale coordinated attack bent on pulling off fraudulent wire transfers.

A slew of major American banks, some already stressed by a stream of DDoS attacks carried out over the past 10 days, may soon have to brace themselves for a large-scale coordinated attack bent on pulling off fraudulent wire transfers.

RSA’s FraudAction research team has been monitoring underground chatter and has put together various clues to deduce that a cybercrime gang is actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the proprietary Gozi Trojan.

This is the first time a private cybercrime organization has recruited outsiders to participate in a financially motivated attack, said Mor Ahuvia, cybercrime communications specialist for RSA FraudAction. The attackers are promising their recruits a cut of the profits, and are requiring an initial investment in hardware and training in how to deploy the Gozi Prinimalka Trojan, Ahuvia added. Also, the gang will only share executable files with their partners, and will not give up the Trojan’s compilers, keeping the recruits dependent on the gang for updates

Generally, cybercrime gangs deploy as few as five individual botmasters to help in successful campaigns; with this kind of scale, banks could be facing up 30 times the number of compromised machines and fraudulent transfers, if the campaign is successful.

“This Trojan is not well known. This is not SpyEye or Citadel; it’s not available for everyone to buy,” Ahuvia said. “Security vendors and antivirus signatures are less likely to catch it or be familiar with it. It will be tricky for vendors to detect and block it. This gang is keeping a tight hold on the compiler. By only giving up executable files, they can control how any antivirus signatures are in the wild and keep unique signatures to a minimum.”

As many as 30 banks have been targeted, many of them well known and high profile, Ahuvia said. RSA said the gang is targeting American banks because of past success in beating their defenses, as well as a lack of two-factor authentication required for wire transfers.Some European banks, for example, require consumers to use two-factor authentication. She added that RSA FraudAction was unsure how far along the recruitment campaign had gone, or when the attacks would launch.

“There is the chance that once we’ve gone public, they may abandon their plans because there’s too much buzz around it,” Ahuvia said. “On the other hand, I don’t think anything we know will have such a dramatic effect on them. There are so many Trojans available and so many points of failure in security that could go wrong, that they’d still have some chance of success.”

RSA’s researchers were able to make the connection to the Gozi Prinimalka Trojan, which has been in circulation since 2008 and responsible for $5 million in fraud-related losses. Prinimalka is similar to the Gozi Trojan in technical and operational aspects, RSA said, leading to speculation the HangUp Team, which was tied to previous Gozi attacks, is behind this attack as well. Prinimalka is Russian for the word “receive” and is a folder name in every URL patch given by this particular gang to its crimeware servers.

Prinimalka uses the same bot-to-server communication pattern and URL trigger list as Gozi, RSA said. But deployment of the two Trojans is different: Gozi writes a single DLL file to bots upon deployment, while Prinimalka writes two, an executable file and a DAT file which reports to the command and control server.

Once the Trojan is launched, the botmaster fires up a virtual machine synching module. The module then duplicates the victim’s computer, including identifiable features such as time zone, screen resolution, cookies, browser type and version, and software identification, RSA said. This allows the botmaster to impersonate the victim’s machine and access their accounts. Access is carried out over a SOCKS proxy connection installed on the victim’s machine, RSA said.

The cloned virtual system then can move about on the genuine IP address of the compromised machine when accessing the bank website. Taking it a step further, the attackers deploy VoIP phone flooding software that will prevent the victim from receiving a confirmation call or text alerting them to unusual transfer activity, RSA said.

“They are looking for this to be a quick campaign,” Ahuvia said. “They want to make as much as they can until the banks and users harden their systems. They want to cash out quickly.”

Suggested articles

New Wave of Hailstorm Spam Pelts Inboxes

Spammers are turning to an old technique known as hailstorm to slip past anti-spam and anti-malware filters to deliver Dridex banking malware and Locky ransomware.


  • Anonymous on

    so where can one sign up?

  • Anonymous on

    Thanks for this article and advanced notice even though i am sure banks will sadly not take any action

  • Anonymous on

    Thank you for warning the wannabe hackers about the plans of these scammers to bilk them of their money. "Invesement" ... riiiiiiight.

  • Anonymous on

    Perhaps I can sell my slightly used Atari to the banks.

  • Anonymous on

    I am currently homeless because of the recovery and this sounds like a great opportunity to earn money from home.. could someone post the signup URL? Is Russian language required or do they accept English?

  • Anonymous on

    The question is what will they do with that money if they get it.  Distrubute it to the least fortunate like Robinhood (not many of those archetypes) or become just like people with lots of money that they can't really spend and need to protect their lucre against others who don't have but are not afraid to try and steal it.  I can't wait to see what happens.  It all seems like a childs game.  If everyone had their own toys maybe it would evolve into trading and interacting for mutual benefit rather than a few kids taking all the toys and storing them away in a huge private vault.  That vault becomes irresistible to all the kids who have no toys.  Yes we are that simple.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.