In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (Russia, Brazil, North America, Japan, China, Germany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.
Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.
The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kits, ATM or PoS malware and also hacking services.
The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.
“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.
The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.
“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.
The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.
Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.
Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).
The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.
“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.
“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.
“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”
I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.
(Security Affairs – Brazilian underground, Russian underground)