Trend Micro : Partners With Interpol and Nigeria’s EFCC for Operation Killer Bee, Takes Down Nigerian BEC Actors

After months of investigation, we have been in a position to establish the malicious actors behind the campaigns and current it to Interpol and Nigeria’s Economic and Financial Crime Commission (EFCC). Furthermore, we have been in a position to elaborate on the influence of the malware by way of infections and financial loss. Finally, we additionally make clear the malicious actors’ modus operandi. These malicious actors, who have been from Nigeria, are infamous for utilizing malware akin to LokiBot and Agent Tesla.

The EFCC offered this data in a recently concluded conference held in Phuket, Thailand to assist strengthen regional and worldwide partnerships. Trend Micro is drastically honored to be a part of this convention and we’re delighted to share the present and future cyber menace traits (as mentioned in our annual safety spherical up, “Navigating New Frontiers“)

Interpol, who dubbed this operation Operation Killer Bee, highlighted the arrest of the three malicious actors accountable for deploying Agent Tesla and facilitating enterprise e mail compromise (BEC) scams utilizing stolen data. The EFCC was in a position to retrieve photos from the malicious actors whereas Trend Micro helped with forensics evaluation.

Along with the May 2022 arrest of Nigerian malicious actors by Interpol and previous arrests from Palo Alto and Group-IB with the assist from Trend Micro, the arrest of those malicious actors present the excessive numbers of menace actor teams working in Nigeria which are concerned in malicious actions akin to malware deployment and BEC.

Further particulars on the malicious actors

The first malicious actor was primarily concerned in BEC operations. We found from his drop zone that he retrieved some bill paperwork which he then used for BEC operations that price some goal firms in Mexico, Spain, United States, and Germany roughly US$60 million. A petroleum fuel firm in Spain and monetary firm in Mexico have been additionally focused for huge quantities of cash utilizing stolen bill paperwork obtained by way of data stealers.

The second technically proficient malicious actor was accountable for organising phishing operations, deploying data stealing malware, and operating spam and BEC campaigns, with over 70 phishing URLs . From April 2019 to August 2020, Trend Micro detected 144,000 malicious URLs containing the phrase “excelz,” indicating the listing identify of the phishing package used within the assaults. The majority of those detections have been in China, with the United States, Germany, and Japan additionally among the many different nations that had malicious URL detections.

There have been 1838 distinctive domains internet hosting the excel-themed phishing operation. It is feasible this malicious actor rented the phishing package. This malicious actor helped the primary particular person we mentioned to configure and arrange phishing hyperlinks that had their aliases seen from the listing. Typically, their operations concerned compromising a official web site’s net shell (Xleet) to host the phishing pages. After compromising the web site, they may entry the management panel utilizing a non-standard port for organising. There have been additionally non-English phishing scams in languages akin to Chinese and Korean. The focused manufacturers have been DHL Express, WebMail Upgrade and SF Express (China).

Aside from phishing, our second malicious actor additionally deployed information-stealing malware. Analysis exhibits that he used Skype and ICQ to speak with different malicious actors, and Turbo-Mailer to ship spam messages containing malware attachments. He additionally created e mail providers utilizing Gmail to function a drop zone for stolen credentials; certainly one of his emails was logged for testing by way of his Nigerian IP tackle.

Analysis reveals that the malicious actors focused firms utilizing identifiers akin to nation code and the phrase “LTD. PLC,” together with different key phrases akin to “prescription drugs,” “suppliers,” and “producers” in China and different nations. Around 2.3 million e mail addresses have been focused of their spam campaigns whereas over 200 SMTP credentials and emails have been stolen or hijacked. They additionally rented fifteen digital non-public servers (VPS) with SMTP for these campaigns. Some IP servers have been linked to phishing, extortion spam schemes, and instruments akin to Remcos RAT. Through the connections of the drop zone to the previously-mentioned Agent tesla pattern, we have been in a position to hyperlink the next Agent Tesla samples:

• 58b3460db527dcface80872b12eebc8385b94e70f4703e3ea05781b7979f814a
• 5fc8a7b09c8cd50542203b5292a0e3650c38e4fc5b5ad4ffef63ecfeb9783b6c

The third malicious actor pleaded responsible to a four-count cost that included possession of fraudulent paperwork, acquiring cash by false pretense, retention of proceeds of crime, and impersonation. He is linked to fifteen e mail addresses , a few of which have been utilized in BEC assaults geared toward firms in nations akin to Germany, Japan, and South Korea (with the malicious actor spoofing the identify of firms utilizing Gmail). Fraudulent paperwork requesting cash – tallied and estimated to be round US$100,000 – have been additionally utilized in these BEC makes an attempt. Further investigation revealed that the person is linked to a cryptocurrency pockets with an quantity equal to US$133 million

Modus operandi

Using the Agent Tesla pattern, we noticed that the malicious actors have been working since 2018, initially conducting phishing assaults and deploying information-stealing malware akin to LokiBot and Fareit.

The modus operandi proven beneath in Figure 4 is the standard operation course of circulate utilized by the Nigerian malicious actors.

It begins with the malicious actors scraping the web for public websites containing e mail addresses, which can be saved in a textual content file. They additionally use instruments akin to Lite Email Extractor to scrape e mail addresses. To broaden their vary of targets the malicious actors additionally search for particular key phrases in Google, akin to “LTD PLC” and “manufacturing suppliers.”

After acquiring their listing of targets, they might share this data with different malicious actors by way of Skype and ICQ. Their subsequent step could be both to buy a VPS server with SMTP, or in some circumstances, hijack a mail server contaminated with an information-stealing malware. For the VPS server, they may set up Gammadyne or Turbo-Mailer to assist them compose the phishing e mail or spam e mail with a malicious attachment and then embed the listing of e mail addresses. Before doing so, they might additionally buy domains and set it up for phishing actions, (typically mimicking an official firm web site). They could acquire information-stealing malware from the cybercriminal underground – sometimes by way of Skype – and request for crypter providers and assist to configure the C&C server and arrange C&C server internet hosting. When these are prepared, the malicious actors will run Gammadyne or Turbo-Mailer and go away it operating.

To reduce the possibility of leaving traces, the malicious actors entry the clear VPS servers – that are leased from bulletproof internet hosting (BPH) providers akin to Almahosting – by way of distant desktop protocol (RDP). The malicious actors will then wait for data from the contaminated machines that can be despatched over to the drop zone or C&C server – for instance, Agent Tesla can log the e-mail server credentials, net browser exercise, the IP tackle of the sufferer, and, in some circumstances, screenshots of the desktop and keystroke recordings. At this stage, they may consolidate the logs of stolen data or share it with different malicious actors to allow them to proceed to carry out BEC. They attempt to discover weak factors within the group and carry out actions akin to hijacking the email conversation, tampering with the invoices of their checking account, and comply with up with the companions and suppliers of the goal firms. They also can log into their sufferer’s checking account utilizing their credentials and carry out wire switch fraud whereas monitoring their victims, biding for the correct time to carry out social engineering strategies, with the eventual objective of getting cash transferred to the malicious actors’ accounts.

A profitable partnership between legislation enforcement and the non-public sector

Activities and operations that contain the cooperation of legislation enforcement and the non-public sector, akin to Operation Killer Bee, permit safety organizations and trade consultants to supply their expertise, assets, and years of expertise to legislation enforcement organizations akin to Interpol to reinforce their strengths in investigating and apprehending malicious actors and cybercrime teams. This partnership has led to many successful cybercriminal takedowns over the past few years.

To this finish, we’re honored tocollaborate with Interpol, and we hope to proceed working with them to strengthen cybersecurity and maintain the digital world protected.