Carding 4 Carders
Professional
Geography of malware distribution
The Positive Technologies Cyber Incident Team (PT CSIRT) discovered previously unknown malware during an investigation of "abnormal network activity". The first victim's computer was not affected by phishing or hacking; the user simply installed a program downloaded via torrent.
According to PT CSIRT, the VPO "behaved" quite noisily: it collected information about the victim's computer, installed RMS (a program for remote management) and the XMRig miner, and also archived the contents of the Telegram user folder. The collected information was then sent to the Telegram bot, which acted as a control server.
In the course of the HPE study, which was called autoit stealer, PT CSIRT experts managed to identify a large number of victims and determine the likely author of the program. In total, experts found more than 250,000 infected devices in 164 countries, including Russia, Ukraine, India, Brazil, Poland and others.
"Most of the victims are unincorporated users who download pirated software from websites to their home computers. However, among the victims we found state structures, educational institutions, oil and gas companies, medical institutions, construction and mining companies, retail, IT, etc. All identified companies received a corresponding notification, " Positive Technologies said in a post.
VPO gets to the user's computer via a torrent client. After downloading the torrent, the infected installer of the program that the user planned to download gets on the victim's computer, along with a malicious component consisting of many separate programs. These programs are mostly compiled AutoIt scripts that are additionally covered with the Themida packer. The implementation of HPE does not look complicated, it is made to some extent "according to the methodology" and uses simple tactics for implementing an attack, experts explain.
As suggested in Positive Technologies, the likely target of the attack may be the resale of accesses both on the network and in Telegram. On shadow forums, you can find many posts about buying up tdata.
It is worth noting that by analyzing the HPE component responsible for transmitting the collected information from the infected machine, the experts obtained the token_id of the bot to which all information was sent. After receiving all the messages from this bot, they were able to find the first user who started it. Further search and analysis of this user's posts and related accounts in social networks and specialized forums also allowed us to find his account in X.
Experts called the detected VPO simple, but the study of only one attack using it found more than 250 thousand victims. Positive Technologies assumes that there are significantly more victims, and predicts an increase in attacks using infected pirated software.
"The use of pirated software carries the risk of HPE infection. A regular antivirus program can help protect against infection, but this is not a panacea: you need to be more conscious about choosing the source of software. The ideal option, of course, would be to purchase licensed programs, but in modern realities this is not always possible," the company concludes.
