Professional Documents
Culture Documents
Darrent Ng
APAC – Enterprise Sales
Group-IB
450+ 60%
Recognized by Top
Industry Experts
60 000+ 400+
Hours of experience in Cybersecurity specialists and
Incident Response developers
Europol Interpol OSCE SWIFT Deutsche Bank Raiffeisen Bank Huawei Commonwealth Bank Sony
APAC Cybercrimes Trends
Motivation
Cyberterrorists and
hacktivists
Financially motivated
cybercriminals
Executive Summary Q2 2020
• Anubis, an Android Banking Trojan was involved in attacks against users in Malaysia
• Gozi v3, a new version of Banking Trojan Gozi/ISFB targets Australian banks
• Attacks by Threat group ShadowSinger on mobile devices of users in Malaysia & Vietnam
• A database ‘SCARFACE-DISCOUNT-SALE’ with 400,000 US + South Korean cards were
put up for sale on Joker’s Stash underground card shop
• A database of 10,000 SG bank cards ’13.05-SINGAPORE SNIFFED’ was published on
Feshop
• PerSwaysion campaign saw phishing attacks against top managers of >150 international
orgs from US, Canada, Germany, UK, HK, SG and more
• Attacks by Ransomware group Maze on ST Engineering and other US companies.
Anubis
Key findings:
• Campaign started in May
2019;
• Group-IB specialists identified
20 victims of this campaign:
these websites were infected
with ClientToken JS sniffer.
technokain[.]com darvishkhan[.]net
In June 2019 Lazarus group conducted an On June 27, 2019 Lazarus group conducted a
attack with the use of malicious document, campaign against crypto traders. Malicious
which downloaded additional payload from document contained payload, which tried to
compromised website technokain[.]com. download next payload from compromised website
darvishkhan[.]net.
areac-agr[.]com papers0urce[.]com
Compromised website areac- During the same campaign using Dacls RAT which
agr[.]com was used for storing was detected on October 25, 2019 one of hardcoded
components of Dacls RAT sample, C2 server IP addresses was discovered:
which was detected on October 25, 23.81.246.179. On February 10, 2020 the same IP
2019. address appeared in A-record of domain name
papers0urce[.]com, which was used as gate address
for exfiltration of cards, which were intercepted by
Preloader JS sniffer.
Carding
Market
volume $179 159 552 $700 520 520
11 dollars
the average price of card
Lowest
price $0.7 $0.5 dumps is down by
Highest
price $150 $500
By 16,7 millions
Average
price $14.29 $22.44 the number of compromised
cards has risen
POS trojans
TRENDS
§ Metasploit
§ Cobalt Strike
§ CrackMapExec Are you able to detect it
§ PowerShell Empire in your environment?
§ PoshC2
§ Koadic
Data exfiltration
Maze