Researchers with security company Proofpoint have identified a Russian-speaking cybercrime group that has infected more than 500,000 systems and is targeting online credentials for major banks in the U.S and Europe.
The group, which Proofpoint is referring to as ‘Northern Gold' due to the name popping up throughout the investigation, has been operating since 2008 and their motivation appears to be financial, Wayne Huang, VP Engineering at Proofpoint, told SCMagazine.com on Monday.
Using Qbot malware, also known as Qakbot, the attackers have infected more than 500,000 unique systems – nearly two million unique IP addresses – and have sniffed conversations, including account credentials, for roughly 800,000 online banking transactions, according to an analysis published Tuesday.
Almost 60 percent of sniffed sessions were from accounts at five of the largest banks in the U.S., and IP addresses in the U.S. accounted for 75 percent of infected systems, the analysis indicates. Huang would not reveal the names of impacted banks due to an ongoing investigation.
To infect systems and carry out their operation, the group begins with purchasing large password lists – many times for WordPress websites – on underground marketplaces, Huang said, explaining they will use automated tools to verify the credentials.
“These scripts they built will take the password list and try to log in,” Huang said. “If successful, then they'll mark the password as useful. This generates a big list of passwords. Then they would go into these websites by logging in, and hide within these websites somewhere what we call a webshell, which [acts as] a backdoor into the website.”
When a user's browser visits the compromised websites, a traffic distribution system filters victims by IP address, browser type, operating system and other criteria in order to run an exploit without getting detected, according to the analysis.