Cyber Crime Trends

Darrent Ng
APAC – Enterprise Sales
Group-IB

450+ 60%
Recognized by Top
Industry Experts

protected clients around annual revenue growth

the world

60 000+ 400+
Hours of experience in Cybersecurity specialists and
Incident Response developers

Official Partner Recommended by Some of Our High-end Clients

Europol Interpol OSCE SWIFT Deutsche Bank Raiffeisen Bank Huawei Commonwealth Bank Sony
APAC Cybercrimes Trends
Motivation

Hackers and groups with

implicit motivation

Cyberterrorists and
hacktivists

Cyber armies and state

sponsored groups

Financially motivated
cybercriminals
Executive Summary Q2 2020

APT campaigns against financial organizations:

• Upgraded tools & new attacks from Lazarus (N. Korea)

• Undetected attacks from Leery Turtle hackers on cryptocurrency exchange companies
• FIN6 attacks on financial, construction and trade org in US & Europe
• Discovery of an email campaign involving more_eggs malware; either FIN6 or Cobalt
group is the culprit.
Advanced Threats in the
Financial Sector
Financial Threats on APAC

• Anubis, an Android Banking Trojan was involved in attacks against users in Malaysia
• Gozi v3, a new version of Banking Trojan Gozi/ISFB targets Australian banks
• Attacks by Threat group ShadowSinger on mobile devices of users in Malaysia & Vietnam
• A database ‘SCARFACE-DISCOUNT-SALE’ with 400,000 US + South Korean cards were
put up for sale on Joker’s Stash underground card shop
• A database of 10,000 SG bank cards ’13.05-SINGAPORE SNIFFED’ was published on
Feshop
• PerSwaysion campaign saw phishing attacks against top managers of >150 international
orgs from US, Canada, Germany, UK, HK, SG and more
• Attacks by Ransomware group Maze on ST Engineering and other US companies.
Anubis

• Active since 2017

• Distributed through Google Play Market and phishing
• Masquerading as innocuous apps
• 260+ target applications
Anubis functionality

• Capturing screenshots, recording audio

• Enabling or changing administration settings
• Opening and visiting any URL
• Disabling Play Protect
• Making phone calls, stealing the contact list
• Controlling the device via VNC, capturing commands from Twitter and Telegram
• Searching for files, Retrieving the GPS location, Reading the device ID
• Sending, receiving and deleting SMS
• Locking the device
• Encrypting files on the device and external drives
 PerSwaysion

• Active since at least mid-

2019
• Target - management and
executives of more than 150
companies around the world
•Access to confidential
corporate MS Office365
emails
•Focus on financial services
companies, law firms, and
real estate companies
PerSwaysion
Lazarus ClientToken Campaign: JS Sniffers

Key findings:
• Campaign started in May
2019;
• Group-IB specialists identified
20 victims of this campaign:
these websites were infected
with ClientToken JS sniffer.

Known infection sources:

• areac-agr[.]com
• darvishkhan[.]net
• luxmodelagency[.]com
• signedbooksandcollectibles[.]com
• stefanoturco[.]com
• technokain[.]com
• pantandwag[.]com
• serficoop[.]com
 BTC Changer campaign
Key findings:
• Campaign started in February 2020;
• First transaction to attackers’ BTC
wallet took place on 5th of March
2020;
• Attackers used modified version of
ClientToken JS sniffer to replace
destination BTC address during
payment;
• Attackers earned 0.66983720 BTC
(~7800 USD);
• Two victims are Italian-based shop of
luxury clothes and Netherlands-based
supplier of chemicals.
Preloader campaign
Key findings:
• Campaign started in February - March
2020;
• Attackers created new exfiltration gate
for each new victim;
• Researchers found 3 victims: Claire’s,
Paper Source, Focus Camers;
• Group-IB specialists found two more
gates created by attackers, which may
mean that there were two more victims.
Connections with other attacks of Lazarus
group
technokain[.]com
In June 2019 Lazarus group conducted an
attack with the use of malicious document,
which downloaded additional payload from
compromised website technokain[.]com.
areac-agr[.]com
Compromised website areac-
agr[.]com was used for storing
components of Dacls RAT sample,
which was detected on October 25,
2019.
darvishkhan[.]net
On June 27, 2019 Lazarus group conducted a
campaign against crypto traders. Malicious
document contained payload, which tried to
download next payload from compromised website
darvishkhan[.]net.
papers0urce[.]com
During the same campaign using Dacls RAT which
was detected on October 25, 2019 one of hardcoded
C2 server IP addresses was discovered:
23.81.246.179. On February 10, 2020 the same IP
address appeared in A-record of domain name
papers0urce[.]com, which was used as gate address
for exfiltration of cards, which were intercepted by
Preloader JS sniffer.
Carding

Text data Dumps By 5 dollars

the average price of text data
has risen
Total
number 12 540 190 31 213 941

Market
volume $179 159 552 $700 520 520
11 dollars
the average price of card
Lowest
price $0.7 $0.5 dumps is down by

Highest
price $150 $500
By 16,7 millions
Average
price $14.29 $22.44 the number of compromised
cards has risen
POS trojans

80% of the carding market are

card dumps

By 46% the number of dumps is

increased during the previous year

The main way to obtain card dumps –

POS trojans
FIN6

• Attacks on point-of-sale (PoS) data and e-commerce sites

• Partnership with Trickbot
• More eggs malware – js backdoor(also used by Cobalt)
Ransomware epidemic

BIG GAME HUNTERS

Ruyk DopplePaymer QBot
ProLock Revil
Maze Dharma

INCREASE IN RANSOMWARE ATTACKS

40% YoY

TRENDS

• Phishing emails, as the most common technique used

for initial access
• Big Game Hunters are more frequently using different
trojans to gain an initial foothold in the target network
• Big Game Hunters started to not only deploy
ransomware in enterprise networks but also exfiltrate
large amounts of sensitive data
Big Game Hunting is on the Rise!

$1.8 MILLION Big Game Hunters are adversaries, performing

semi-targeted attacks, which focused on big
the average ransom companies with outstanding revenues. Such
demand over the attacks are commonly associated with
past six months
(based on more than ransomware distribution, so the most
150 attacks we important thing for attackers – the ability of the
observed) victim to pay high ransom, from a few hundreds
of thousands to a few millions.
Common Entry Vectors

§ Weak RDP credentials

§ Phishing (attachments, links, fake websites)
§ Exploiting public-facing applications
(Oracle WebLogic Server, Pulse Secure VPN, F5 BIG-IP)
Banking Trojans

§ Trickbot - may lead to Ryuk or Conti deployment

§ Dridex - may lead to DoppelPaymer deployment
§ Qakbot - may lead to ProLock deployment
§ SDBBot - may lead to Clop deployment
Network reconnaissance and Lateral Movement

§ Metasploit
§ Cobalt Strike
§ CrackMapExec Are you able to detect it
§ PowerShell Empire in your environment?
§ PoshC2
§ Koadic
Data exfiltration
Maze

• Use of Spelevo and Fallout exploit toolkits

• Compromise of entire network infrastructures
• Use of post exploitation frameworks
• Creation of websites for stolen data publication
Ryuk

• Use of Emotet and Trickbot for initial access and persistence

• Compromise of entire network infrastructures
• Use of post-exploitation frameworks
• Use of PsExec and Group Policies
Commercial espionage: RedCurl

• Active since 2018

• Main goal – corporate espionage and
documentation theft
• Targeted attacks on predefined departments
•For 2 to 6 months in the victim’s network
•Instrumentation – powershell scripts
 RedCurl Unique TTP

• Minimal use of binary code

• Use of legitimate cloud storage to control infected hosts
• Use of special scripts for fake Outlook windows demonstration
• The group has a dwell time from 2-6 months
 The Power of PowerShell

The vast majority of tools used in

RedCurl campaigns are Windows
PowerShell scripts. For instance, a
PowerShell script was used to launch
RedCurl.
TTPs
10 recommendations for preventing attacks

Be able to detect post exploitation tools on your network!!!

Thank you