Threat Management, Incident Response, TDR

Group infects more than 500K systems, targets banking credentials in U.S.

Researchers with security company Proofpoint have identified a Russian-speaking cybercrime group that has infected more than 500,000 systems and is targeting online credentials for major banks in the U.S and Europe.

The group, which Proofpoint is referring to as ‘Northern Gold' due to the name popping up throughout the investigation, has been operating since 2008 and their motivation appears to be financial, Wayne Huang, VP Engineering at Proofpoint, told on Monday.

Using Qbot malware, also known as Qakbot, the attackers have infected more than 500,000 unique systems – nearly two million unique IP addresses – and have sniffed conversations, including account credentials, for roughly 800,000 online banking transactions, according to an analysis published Tuesday.

Almost 60 percent of sniffed sessions were from accounts at five of the largest banks in the U.S., and IP addresses in the U.S. accounted for 75 percent of infected systems, the analysis indicates. Huang would not reveal the names of impacted banks due to an ongoing investigation.

To infect systems and carry out their operation, the group begins with purchasing large password lists – many times for WordPress websites – on underground marketplaces, Huang said, explaining they will use automated tools to verify the credentials.

“These scripts they built will take the password list and try to log in,” Huang said. “If successful, then they'll mark the password as useful. This generates a big list of passwords. Then they would go into these websites by logging in, and hide within these websites somewhere what we call a webshell, which [acts as] a backdoor into the website.”

When a user's browser visits the compromised websites, a traffic distribution system filters victims by IP address, browser type, operating system and other criteria in order to run an exploit without getting detected, according to the analysis.

“This is to ensure the user that gets infected is someone [the attackers] want to infect, as opposed to a crawler [such as] Google,” Huang said. “If all criteria is matched, then they'll serve an exploit. This will exploit some vulnerability inside the browser or browser plugin, and once that happens, the browser or plugin will be commanded to download the [Qbot] malware.”

All versions of Qbot are different, Huang said, explaining that this group's variant of the malware is able to sniff online banking traffic and steal online banking credentials, as well as supports a feature that enables it to download any piece of malware and execute it on the network.

“Qbot includes another module called “SocksFabric,” which builds up a large tunneling network based on SOCKS5,” according to the analysis. “The cybercrime group offers this network as a paid tunneling service that lets attackers a) build their own ‘private cloud' to run encrypted communications and transfer stolen data, or b) use the compromised end points as infiltration points into targeted organizations. This service can be rented to other attackers, generating additional revenue for this cybercrime group.”

Internet Explorer accounts for 82 percent of successful Qbot infections, the post indicates, and Windows XP accounts for 52 percent of infected clients, with Windows 7 accounting for 39 percent of infected clients.

The group has been able to fly under the radar for so long due to their traffic distribution system, constant use of obfuscation and by simply not "breaking" anything, Huang said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.