In a major victory against organised cyber crime, Spanish law enforcement agencies arrested as many as sixteen hackers who used two banking malware variants and email-based phishing attacks to steal money from European financial institutions.
The arrested hackers operated two banking malware variants- Melcoz (also known as Mekotio) and Grandoreiro to steal money from banking websites. Their modus operandi involved sending phishing emails to selected financial institutions and using malware to transfer money out of their bank accounts.
The two banking trojan variants were first observed by security firm Kaspersky in May this year. The firm said that these two variants form part of “the Tétrade” of Brazilian banking malware that also includes Bizarro and Javali. Bizarro was the most widely used malware until recently, with hackers using it to target 70 banks from different European and South American countries, including Argentina, Chile, Germany, Spain, Portugal, France, and Italy.
Hackers used Melcoz and Grandoreiro to steal £236,947 from victims
In the emails sent to targeted victims, the hackers posed as legitimate package delivery services or government agencies and asked the recipients to click on malicious links. Once a victim clicked on a link, the malware installed itself in the victim’s computer and according to The Hacker News, intercepted “transactions on a banking website to unauthorisedly siphon funds to accounts under the attackers’ control. At least 68 email accounts belonging to official bodies were infected to facilitate such fraudulent transfers.”
“Through malicious software, installed on the victim’s computer by the technique known as ’email spoofing’, [the group] would have managed to divert large amounts of money to their accounts. After that, the money was diversified by sending it to other accounts, or by withdrawing cash at ATMs, transfers by BIZUM, REVOLUT cards, etc., in order to hinder the possible police investigation,” the Spanish Civil Guard said.
The hackers were arrested this month following a year-long investigation, dubbed “Aguas Vivas”. The arrests were made in Ribeira (A Coruña), Madrid, Parla and Móstoles (Madrid), Seseña (Toledo), Villafranca de los barros (Badajoz), and Aranda de Duero (Burgos).
Following the arrests, authorities seized mobile phones, computers, and documents and after analyzing their spam emails, found that the hackers successfully stole £236,947 from financial institutions and were attempting to transfer more than £3 million. Aside from blocking these transfer attempts, the authorities also recovered around £74,000 from the hackers.
Brazilian malware variants ruled the roost in Europe and Latin America
According to Kaspersky, Melcoz is a banking Trojan family developed by the Tetrade group which has been active since at least 2018 in Brazil. “The malware uses AutoIt or VBS scripts, added into MSI files, which run malicious DLLs using the DLL-Hijack technique, aiming to bypass security solutions. This malware steals passwords from browsers and from the device’s memory, providing remote access to capture internet banking access. It also includes a Bitcoin wallet stealing module,” the firm said.
Talking about Grandoreiro, the firm said that it has been used widely by hackers since 2016 to target victims in Latin America and Western Europe. The malware has also been used regularly as a Malware-as-a-Service (MaaS) project and since January last year, has been mostly used to target victims in Brazil, Mexico, Spain, Portugal, and Turkey.
“Cybercriminals are constantly looking for new ways to spread malware that steals credentials for e-payment and online banking systems. Today, we witness a game-changing trend in banking malware distribution – regional actors actively attack users, not only in their region but also around the globe.
“Implementing new techniques, Brazilian malware families started distributing to other continents, and Bizarro, which targets users from Europe, is the clearest example of this. It should serve as a sign for greater emphasis on the analysis of regional criminals and local threat intelligence, as soon enough it could become a problem of global concern,” said Fabio Assolini, a security expert at Kaspersky.