Researchers with security company Proofpoint have identified a cybercrime group that has infected more than 500,000 systems and is targeting online credentials for major banks in the US, Europe and Australia.
The Russian-speaking hackers that Proofpoint referred to as ‘Northern Gold' due to the name popping up throughout the investigation, has operated since 2008.
Their motivation appears to be financial, Wayne Huang, VP Engineering at Proofpoint, told SCMagazine.com on Monday.
Using Qbot malware, also known as Qakbot, the attackers have infected more than 500,000 unique systems – nearly two million unique IP addresses – and have sniffed conversations, including account credentials, for roughly 800,000 online banking transactions, according to an analysis [PDF] published Tuesday.
Around one percent of infected systems, or approximately 5000 of the total, are in Australia.
Almost 60 percent of sniffed sessions were from accounts at five of the largest banks in the US, and US-based IP addresses accounted for 75 percent of infected systems. Huang would not reveal the names of impacted banks due to an ongoing investigation.
To infect systems and carry out their operation, the group begins with purchasing large password lists – often for WordPress websites – on underground marketplaces, Huang said, explaining they will use automated tools to verify the credentials.
Huang explained that the the hacker's scripts will attempt to log in against the password list. “If successful, then they'll mark the password as useful. This generates a big list of passwords. They log in, and hide within these websites in what we call a webshell, which [acts as] a backdoor into the website.”
When a user's browser visits the compromised websites, a traffic distribution system filters victims by IP address, browser type, operating system and other criteria in order to run an exploit without getting detected, according to the analysis.
“This is to ensure the user infected is someone [the attackers] want to infect, as opposed to a crawler [such as] Google,” Huang said. “If all criteria is matched, then they'll serve an exploit. This will exploit some vulnerability inside the browser or browser plugin, and once that happens, the browser or plugin will be commanded to download the [Qbot] malware.”
All versions of Qbot are different, Huang said, explaining that this group's variant of the malware is able to sniff online banking traffic and steal online banking credentials, as well as support a feature that enables it to download any piece of malware and execute it on the network.
“Qbot includes another module called 'SocksFabric,' which builds up a large tunneling network based on SOCKS5,” according to the analysis. “The cybercrime group offers this network as a paid tunneling service that lets attackers a) build their own ‘private cloud' to run encrypted communications and transfer stolen data, or b) use the compromised end points as infiltration points into targeted organizations. This service can be rented to other attackers, generating additional revenue for the cybercrime group.”
Internet Explorer accounts for 82 percent of successful Qbot infections, Windows XP for 52 percent and Windows 7 accounting for 39 percent of infected clients.
The group has been able to fly under the radar for so long due to their traffic distribution system, constant use of obfuscation and by simply not "breaking" anything, Huang said.