A Trend Micro Research Paper Ice 419 Cybercriminals from Nigeria Use Ice IX and the 419 Scam Loucif Kharouni (Forward-Looking Threat Research Team)

Transcription

1 A Trend Micro Research Paper Ice 419 Cybercriminals from Nigeria Use Ice IX and the 419 Scam Loucif Kharouni (Forward-Looking Threat Research Team)

2 Contents Introduction...3 Ice IX as an Attack Vector...3 C&C Servers...4 Connection to Nigeria...5 Other Forms of Cybercrime...6 Phishing...6 Nigerian Scams...8 Suspects...11 Smith Samson...11 Peter Hollame...12 Peter Nzenwata...14 Organization Map...16 TREND MICRO LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is not intended and should not be construed to constitute legal advice. The information contained herein may not be applicable to all situations and may not reflect the most current situation. Nothing contained herein should be relied on or acted upon without the benefit of legal advice based on the particular facts and circumstances presented and nothing herein should be construed otherwise. Trend Micro reserves the right to modify the contents of this document at any time without prior notice. Translations of any material into other languages are intended solely as a convenience. Translation accuracy is not guaranteed nor implied. If any questions arise related to the accuracy of a translation, please refer to the original language official version of the document. Any discrepancies or differences created in the translation are not binding and have no legal effect for compliance or enforcement purposes. Although Trend Micro uses reasonable efforts to include accurate and up-to-date information herein, Trend Micro makes no warranties or representations of any kind as to its accuracy, currency, or completeness. You agree that access to and use of and reliance on this document and the content thereof is at your own risk. Trend Micro disclaims all warranties of any kind, express or implied. Neither Trend Micro nor any party involved in creating, producing, or delivering this document shall be liable for any consequence, loss, or damage, including direct, indirect, special, consequential, loss of business profits, or special damages, whatsoever arising out of access to, use of, or inability to use, or in connection with the use of this document, or any errors or omissions in the content thereof. Use of this information constitutes acceptance for use in an as is condition. 2

3 Domain Ownership...17 Domains Registered with the Address, gmail. com...17 Domains Registered Under the name, Erica Rubalcaba...17 Domains Registered with the Address, hotmail. com...17 Domains Registered with the Address, yahoo. com...18 Domain Registered with the Address, yahoo. com...18 Attribution...19 Conclusion

4 Introduction Consistent with our prediction for Africa in 2013 and our research paper on developments in the continent s Internet infrastructure, this paper addresses cybercrime in the region, specifically a cybercrime gang that utilizes the banking Trojan, Ice IX. 1 We were able to learn how one of these cybercrime operations works. There did not appear to be a specific targeted country but the targets included India, the United States, and Germany, among others. Our research helped us determine that the cybercriminal gang is located in Nigeria, principally in Lagos, its most populous city. We were also able to identify certain key members of the operation. In this research paper, we also describe our findings on the toolkit the group uses, domain ownership, and other related scams. Ice IX as an Attack Vector Ice IX is one of the most notorious and dangerous crimeware today. While known as the first generation of modified ZeuS variants, Ice IX is a reiteration of the banking Trojan after its code was leaked in underground forums. 2 Ice IX is used to steal victims credentials or personally identifiable information (PII). These PII include user names and passwords for , Facebook, and/or online bank accounts. Similar to ZeuS and SpyEye, Ice IX also uses a webinject file. This webinject file contains several lines of JavaScript and HTML code to mimic or create fake pop-up messages that ask for the users credentials while they access the sites of their online banks. The cybercriminals behind this operation used Ice IX to collect the following information for later use: addresses: Cybercriminals use victims addresses to send out legitimatelooking spam and to have more convincing reply-to addresses. Bank account and credit card numbers: Cybercriminals can abuse these to pay off their own bills. They can also be sold underground. Webmail account credentials: Cybercriminals can use victims webmail accounts to send out spam with malicious attachments to further spread Ice IX or ZeuS variants. 1 Trend Micro Incorporated. (2013). Security Threats to Business, the Digital Lifestyle, and the Cloud: Trend Micro Predictions for 2013 and Beyond. Last accessed October 31, 2013, spotlight-articles/sp-trend-micro-predictions-for-2013-and-beyond.pdf; Loucif Kharouni. (2013). Africa: A New Safe Harbor for Cybercriminals? Last accessed October 31, 2013, 2 Jasper Manuel. (September 2, 2011). TrendLabs Security Intelligence Blog. ZeuS Gets Another Update. Last accessed October 31, 2013, 4

5 C&C Servers We located some of the cybercriminals command-and-control (C&C) servers using various techniques. We gathered all domains registered using the same address, which has been known to belong to one of the cybercriminals. Another technique used was to look for more C&C servers after gaining access to the gang s C&C control panel. We were also able to gather data on servers they either hijacked or owned based on the folder pattern, Whois records, and open source research. The following table shows some of the C&C servers we found. C&C Servers Hijacked http :// {BLOCKED}ver. be / web / adm / index. php Owned http :// {BLOCKED}. co. za / web1 / web / adm / index. php http :// {BLOCKED}malo. com / includes / colabo / web / adm / gate. php http :// {BLOCKED}. co. za / web / adm / index. php http :// {BLOCKED}king. com / web / adm / gate. php Here are screenshots of the C&C communications that show the number of infected machines. Note that each C&C server only had a few bots. Figure 1: Infection count per C&C server 5

6 Connection to Nigeria The infected machines in Nigeria were used to connect to Ice IX C&C servers. Based on the data gathered from the C&C logs, we discovered that the cybercriminals used the infected machines as SOCKS proxies to connect to different sites as well as other Ice IX control panels. Figure 2: Evidence that the cybercriminals used an infected machine as proxy to connect to a C&C server Figure 3: More machines in Nigeria used as proxies 6

7 It is still unclear why some cybercriminals used infected machines in Nigeria to carry out malicious activities. But we are absolutely certain that they operated from Nigeria based on various evidence gathered using techniques such as reviewing chat logs containing communications between different parties and tracking 4G connection subscriptions, which gave the IP address of the device they used. A possible explanation for this is that the cybercriminals may think using an infected machine is enough to cover their tracks, even though it is located in the same country. Other Forms of Cybercrime Figure 4: 4G connection session Apart from using the Ice IX banking Trojan, some members of the gang appeared to be involved with various phishing and Nigerian or 419 scams. Phishing pages helped them gather various victims PII. Phishing The cybercriminals appeared to use at least three different phishing page types. One type impersonated Scottrade. com, the site of a privately owned American discount retail brokerage firm that offers both online and branch office services. 7

8 Figure 5: Fake Scottrade site Another phishing sample impersonated the popular Korean search engine site, Daum. net. A famous online dating site, Match. com, was also phished. Figure 6: Fake Daum. net log-in page 8

9 Figure 7: Fake Match. com log-in page Nigerian Scams The cybercriminals also engaged in Nigerian or 419 scams, so named after the 419 Nigerian penal law that outlawed this particular type of fraud. 3 This type of scam requires making an upfront payment in exchange for a reward for helping officials of Nigerian government ministries or the family members of political leaders. Take a look at the following template of the sent to several people, which caused them to reply with personal information such as their bank account details and copies of their IDs. 3 United States Diplomatic Mission to Nigeria. Nigerian Advance Fee Fraud (419) Resources. Last accessed October 31, 2013, 9

10 Sir/Madam, I hope this proposal meets you in a good state of health. I need your help to transfer and invest S$15,000, that accumulated as undeclared profit made by this branch HFC Bank Ghana Limited under my management. All that is required to get the funds transferred out of here is to put your name on the Non-investment account holding the funds. This practically makes you a Non-Resident customer of HFC Bank. I will then guide you on how to apply for Closure of the Account and credit transfer of the funds to your designated bank account. You will get 40% of the funds for your role. If you get back to me with your physical,contact address, your photo id and direct telephone number, we will consummate the funds transter within one week. My Private is ee.empah3@aim.com Sincerely, Ampah Edward This template is sent out using a spamming tool known as a PHP mailer. The cybercriminals hold several lists of addresses for various countries. We have seen at least two of these lists with around 553,000 addresses from Canada and 490,000 from the United States. Figure 8: PHP mailer screenshot 10

11 Some of the addresses used in spamming include but are not limited to: aim. com aol. com live. com live. com The cybercriminals also include an accompanying ID to make the look more legitimate to potential victims. Figure 9: ID of supposed bank manager Once the cybercriminals lure a victim in, they redirect him or her to an agent from the supposed bank to handle the money transfer. The cybercriminals even created a domain (hfconline - gh. com) that closely mimicked that of the Ghana Bank (hfcbank. com. gh). The fake domain is, however, only used for ing purposes or for requesting victims to fill up a form and to send scanned copies of their IDs. We noticed that the cybercriminals have been employing the same scam using different topics. One topic dealt with claiming a cash deposit belonging to a late family member. Another topic used the Gaddafi fortune as hook, specifically the line, I am in control of US$15,000, deposited in my bank by the Libya, Gaddafi Family. The cybercriminals also took advantage of users via a supposed money transfer proposal from the Ghana Bank. 11

12 Suspects What is the connection between using a banking Trojan like Ice IX and 419 scams? The activities described earlier such as operating and spreading Ice IX Trojans and installing PHP mailer are not operated by just one person but by a group of individuals who work together. The attribution section will describe each individual s task and his or her involvement with the cybercriminal gang. The cybercriminals involved comprise a very large group mainly located in Lagos. Based on the information gathered, three key people have been identified. Smith Samson One of the cybercriminals who goes by the name, Smith Samson, possibly really Ofeoritse Abalagbeyi (Ofe), uses the following addresses: yahoo. com yahoo. com (linked to the Facebook account, https :// www. facebook. com / {BLOCKED}se. {BLOCKED}beyi) hotmail. com (linked to the Facebook account, https :// www. facebook. com / {BLOCKED}th. {BLOCKED}. 75) Figure 10: Facebook profile picture of Ofeoritse Abalagbeyi, also known as Smith Samson 12

13 Ofe takes care of hosting, creating domains for, and configuring Ice IX and ZeuS C&C servers for the gang. He sends information to someone called Peter Hollame, one of his Facebook contacts who uses the address, {BLOCKED}2 _ yahoo. com. Peter Hollame Searching for the address, {BLOCKED}2 _ yahoo. com, led to a certain profile on a Nigerian forum called nairaland. com. This gave some information about the user s location and gender. Figure 11: User profile found on nairaland. com Figure 12: Invisible. ir shows that {BLOCKED}2 _ yahoo. com signed in from Lagos, Nigeria 13

14 We also discovered some information on invisible. ir, a site that displays the Yahoo! Messenger status of any Yahoo! account holder. The site also shows where the user signs in from, which confirmed where the cybercriminal identified as Peter Hollame resides. Figure 13: {BLOCKED}2 _ u2 user pictures The user pictures above from invisible. ir show us the avatars Hollame used over time. We found a similar picture to the one on his Facebook profile. 14

15 Figure 14: Peter Hollame from Facebook account, https :// www. facebook. com / peter. hollame Hollame, just like Ofe, also uploads ZeuS and Ice IX malware to the gang s C&C servers (both hijacked and owned) and installs the control panel using the ZeuS toolkit provided by Ofe. In return, Hollame provides Ofe some mailer tools and credit card numbers. Hollame acts as middle man and communicates and works with another individual, Uzochukwu Nzenwata, also known as Peter Nzenwata. Peter Nzenwata Based on our investigation, Hollame appears to also provide mailer tools to a certain Peter Nzenwata so he can send out Nigerian scam s. Hollame also sends credit card information to Nzenwata to pay for the latter s phone and 4G connection bills. We also learned that Nzenwata moved to Ghana in 2008 but is currently back in Nigeria and is using 4G 1Mbps wireless access. It appears that Nzenwata heavily relies on his peers, as he has no control over the C&C servers, the mailer tools, and the list for spamming purposes. Below are the addresses Nzenwata appears to use: yahoo. com yahoo. com (linked to the Facebook account, https :// www. facebook. com / {BLOCKED}kwuInnocent) 15

16 Figure 15: Uzochukwu Nzenwata, also known as Peter Nzenwata Figure 16: Main people involved in the scams 16

17 Organization Map 17

18 Domain Ownership The Ice IX domains are all registered under the top-level domain (TLD), co. za, which is located in South Africa. Note that most of the domains listed below refer to C&C servers. Domains Registered with the Address, {BLOCKED} gmail. com {BLOCKED}dand. co. za {BLOCKED}ntfighting. co. za {BLOCKED}ls. co. za {BLOCKED}k. co. za {BLOCKED}regh. co. za Domains Registered Under the name, Erica Rubalcaba {BLOCKED}dew. net {BLOCKED}odand. co. za {BLOCKED}antfighting. co. za {BLOCKED}antfighting. net {BLOCKED}opls. co. za {BLOCKED}lock. co. za {BLOCKED}regh. co. za Domains Registered with the Address, {BLOCKED} hotmail. com {BLOCKED} - sa. com {BLOCKED}cng. net {BLOCKED}online. org {BLOCKED}w1. co. za 18

19 Domains Registered with the Address, {BLOCKED} yahoo. com {BLOCKED}aycbnk. net {BLOCKED}ghana. biz {BLOCKED}markcop. org {BLOCKED}stenderboard. com {BLOCKED}ample. com {BLOCKED}lsecuritycompany. org {BLOCKED}lx. co {BLOCKED}ls. info {BLOCKED}nesp. net {BLOCKED}inesp12. com {BLOCKED}perweels. com {BLOCKED}qw. com {BLOCKED}d - nation. net {BLOCKED}dnation. me {BLOCKED}ation. mobi Domain Registered with the Address, {BLOCKED} yahoo. com {BLOCKED}liacredithouse. net 19

20 Attribution We discovered the following list of URLs related to how the cybercriminals operate and manage their C&C servers. http :// {BLOCKED}er. be / web / adm / index. php http :// {BLOCKED}lo. com / includes / colabo / web / adm / gate. php http :// www. {BLOCKED}peruanskef. se / images / adm / index. php http :// {BLOCKED}ra. com / adm / gate. php http :// {BLOCKED}b. com / img / adm / gate. php http :// {BLOCKED}lo. com / includes / colabo / web / adm / gate. php http :// {BLOCKED} entialsservices. com / forms / adm / gate. php http :// {BLOCKED}under. biz / html / adm / gate. php http :// {BLOCKED}012mne. com / plugins / adm / gate. php http :// www. {BLOCKED}free. info / jss / adm / gate. php http :// {BLOCKED}essionalsolutions. com / contactus / adm / gate. php http :// www. {BLOCKED}seoul. tk / java / adm / gate. php http :// {BLOCKED}wi. it / language / adm / gate. php http :// {BLOCKED}ofttraining. tk / olive / adm / gate. php http :// {BLOCKED}. {BLOCKED} / ~inshowro / web / adm / gate. php http :// {BLOCKED}ls. co. za / 1 / gate. php http :// {BLOCKED}regh. co. za / web / config / index. php http :// {BLOCKED}odand. co. za / web / adm / index. php http :// {BLOCKED}ntfighting. co. za / web / adm / index. php http :// {BLOCKED}tfighting. net / web / adm / gate. php http :// {BLOCKED}ok. co. za / web1 / adm / index. php 20

21 http ://{BLOCKED}ok. co. za / web2 / adm / index. php http ://{BLOCKED}1. co. za / web1 / web / adm / index. php http ://{BLOCKED}1. co. za / web / adm / index. php http ://{BLOCKED}ing. com / web / adm / gate. php http :// tk / forum / adm / index. php http ://{BLOCKED}agu. tk / web / adm / index. php http ://{BLOCKED}1ok. co. za / serv / cp. php {BLOCKED}dand. co. za {BLOCKED}tfighting. co. za {BLOCKED}pls. co. za {BLOCKED}ck. co. za {BLOCKED}regh. co. za {BLOCKED}sdew. net {BLOCKED}dand. co. za {BLOCKED}antfighting. co. za {BLOCKED}ntfighting. net {BLOCKED}pls. co. za {BLOCKED}ck. co. za {BLOCKED}egh. co. za {BLOCKED}sa. com {BLOCKED}ng. net {BLOCKED}line. org {BLOCKED}1. co. za {BLOCKED}ycbnk. net 21

22 {BLOCKED}hana. biz {BLOCKED}arkcop. org {BLOCKED}tenderboard. com {BLOCKED}le. com {BLOCKED}alsecuritycompany. org {BLOCKED}lx. co {BLOCKED}ls. info {BLOCKED}sp. net {BLOCKED}sp12. com {BLOCKED}rweels. com {BLOCKED}w. com {BLOCKED}- nation. net {BLOCKED}nation. me {BLOCKED}nation. mobi {BLOCKED}liacredithouse. net Below is a list of the malware samples that appear to connect to the related C&C infrastructure. Malware Samples That Access the C&C Infrastructure Detection Name MD5 Hash TSPY_ZBOT.NEK d144c261790a8b2bb10f465deb97d7a c550ebc3977fc816f417d9d8eed 318f ec5a34a TSPY_ZBOT.UZS 78e07300b8355f5b046c5159fbce4d88 TSPY_ZBOT.SML9 8957b362028d8ddc378aecaaa97a0475 0ab85fa27224a9be29d3ab4b3f14797a 22

23 Conclusion Dealing with Africa as a new cybercrime harbor is a struggle that threat researchers now face. The three main members mentioned in this research paper are still at large and are continuing their operations. They are part of a larger group as shown by the organization map, which only represents a small portion of the whole underground community in Africa involved in this type of business. Several smaller 419 groups also engaged in this lucrative business. These individuals appear to be unconcerned with regard to covering their tracks because they think it would be hard for authorities to arrest them. It is interesting to see that these cybercriminals share tasks and specialize in specific areas such as hosting and creating domains and running the botnet. The other tasks concentrated on looking for addresses, working on the PHP mailers, and launching spam campaigns. Infiltrating different C&C servers and being able to search through their logs helped us identify some of the cybercriminals. We were also able to find other C&C servers that the bad guys used. These perpetrators appear to act swiftly as soon as their C&C servers get shut down they are always looking for vulnerable servers to install Ice IX Trojans on while creating new domains for the same reasons. They are well-organized and know their respective tasks. We noted that the perpetrators looked for the following: Vulnerable domains/servers to hijack and install banking Trojans on Vulnerable domains/servers to hijack and install PHP mailers on Fresh lists of addresses to spam There is no limit on how cybercriminals work with their peers. They appear to willingly share what they have and, in return, receive the information they need such as a list of addresses they call leads and an available and working PHP mailer. The number of cybercriminal activities targeting or originating from Africa will continue to rise. For instance, the Nigerian scam is still an attractive business, especially for jobless youth. In addition, Ice IX has been a welcome addition to cybercriminal operations for its reliability and stability. 23

24 Trend Micro Incorporated, a global leader in security software, strives to make the world safe for exchanging digital information. Our innovative solutions for consumers, businesses and governments provide layered content security to protect information on mobile devices, endpoints, gateways, servers and the cloud. All of our solutions are powered by cloud-based global threat intelligence, the Trend Micro Smart Protection Network, and are supported by over 1,200 threat experts around the globe. For more information, visit by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners N. De Anza Blvd. Cupertino, CA U.S. toll free: Phone: Fax: