Estimated Size: 500+ bots (small)
Targeting: UA and RU
some of the banks being targeted:
URL listing on Cyber Crime Tracker
WHOIS details on the host networkinetnum: 188.8.131.52 - 184.108.40.206
descr: IT House, Ltd
person: Maxim Dyubarev
address: Kalyazinskaya,7, Saint-Petersburg, Russia, 194017
descr: IT House, Ltd
origin: AS57010 mnt-by: ROSNIIROS-MNT
(no abuse email address)
Some info from VirusTotal
Nmap scan report for 220.127.116.11
Host is up.
All 100 scanned ports on 18.104.22.168 are filtered
Each bot has its own /reports/subdirectory on the C&C. When the server was online, the bad guys forgot to deny directory listings which allowed me to browse around to the "reports" folder. This is where bots upload data such as stolen credentials, screenshots, keystroke log files, etc.
Here are screenshots I found of victims logging into bank accounts:
Usually the web injects and built in credential stealing modules are all these crooks need to steal from victims bank accounts. Banks are starting to use other (multi) verification/authentication methods that the bad guys need to take some screenshots and see how to login.. see above shot of auth window.
More victim bank accounts
Personal Email Accounts
There were also screenshots of personal email accounts on these domains:yandex.net
As if stealing money directly from victims bank accounts is not lucrative enough these assholes were mining for BitCoin on their bots as well.
In the same directory of the panel on this server, I found a zip archive amd.zip which contained a file wuaxctl.exe.
amd.zip > wuaxctl.exe
Russian Newspaper Editor Targeted
I also found some interesting screen shots - not just victims browsing to their online bank sites. This looks like a Russian newspaper or similar. This victim started up Adobe InDesign and then began editing a document..
ZeuS banking trojan screen shot taken of victim editing news print files.
Does anyone recognize this newspaper or speak Russian and can translate?
It would be nice to let this organization know that they are infected with a banking trojan, and its probably not on just one machine.