Security researchers from Russian cybercrime investigations firm Group-IB have uncovered a cyberfraud operation that uses specialized financial malware to target the customers of several major Australian banks.
Over 150,000 computers, most of them belonging to Australian users, have been infected with this malware since 2012 and were added to a botnet that Group-IB researchers have dubbed “Kangaroo” or “Kangoo,” after a kangaroo logo used on the command-and-control server’s interface, Andrey Komarov, the head of international projects at Group-IB, said Wednesday via email.
The malware is a modified version of Carberp, a financial Trojan program that so far has been used primarily against Internet banking users from Russian-speaking countries. In fact, the same Carberp variant is used as part of a different operation targeting customers of Sberbank in Russia, Komarov said.
Like the majority of financial Trojan programs, Carberp supports the use of “Web injects”—special scripts that tell the malware how to interact with specific online banking websites. These scripts allow attackers to piggyback on a victim’s active online banking session, initiate rogue transfers, hide account balances and display rogue forms and messages that appear to originate from the bank.
The Carberp variant targeting Australian users contains Web injects for the Internet banking websites of Commonwealth Bank, Bank of Queensland, Bendigo Bank, Adelaide Bank and ANZ. The malware is capable of hijacking the destination of money transfers in real time and uses specific transfer limits to avoid raising red flags, Komarov said.
Group-IB believes that the cybercriminals behind this operation are located in former Soviet Union states. However, the group has contacts with money mule services in Australia as well as its own “corporate drops”—bank accounts registered to sham businesses—in the country, Komarov said.
The attackers create thousands of Web pages riddled with terms from the banking industry that later appear in Web search results for specific keywords, a technique known as black hat search engine optimization, Komarov said. Users who visit these pages get redirected to attack sites that host exploits for vulnerabilities in browser plug-ins like Java, Flash Player, Adobe Reader and others, he said.
The number of 150,000 infected computers is not the number of currently active botnet clients, but a historical count of unique infections since 2012 gathered from the botnet’s command and control server, Komarov said. Also, not all affected users actually use online banking, he said. The rate is roughly one in every three victims, he estimated.
Group-IB said that it is working with the targeted banks and has shared the information gathered from the botnet’s command and control server with them, including compromised account credentials and the Internet Protocol addresses of the infected computers.