Cybercriminals on opposite sides of the world in Russia and Brazil have overcome time differences and language barriers to work together.
The collaboration is driving a rapid evolution of malicious tools, security researchers at Kaspersky Lab warn.
The Brazilian and Russian cybercrime undergrounds have both created numerous, active and diverse forums. Historically, both geographical markets have developed independently from each other, creating distinct cyber-attack techniques tailored to local conditions (eg, the "Boleto" malware in Brazil, or malware targeting mobile banking services in Russia).
However, an investigation by Kaspersky Lab researchers shows that Brazilian and Russian-speaking criminals have established a system of cooperation in recent years. Brazilian criminals seek out samples on Russian underground forums, buying new crimeware and ATM or point of sale malware, or offering their own services. This trade runs both ways, with the cooperation helping to speed up malware evolution.
Signs of cooperation were spotted on one underground forum frequented by Russian-speaking users. In one discussion thread, a user named Doisti74 demonstrated an interest in buying Brazilian "loads," cybercriminal slang for successful malware installation on compromised PCs located in Brazil.
A user with the same name is a denizen of the Brazilian underground scene. Evidence from these forums suggests Doisti74 is interested in slinging ransomware at Brazilian users.
Another case also identified by Kaspersky Lab shows how criminals share malicious infrastructure. A few months after a Russian banking Trojan family (Crishi) allegedly started using an algorithm that generated domains in abuse-resistant hosting in Ukraine, Brazilian criminals behind the infamous Boleto malware campaigns also started using the same infrastructure.
The tactic would not have been possible without cooperation between the Boleto slingers and those behind the domain-generating algorithm.
Cybercriminals are also borrowing malicious technologies from each other. For instance, starting in 2011 if not before, Brazilian cybercriminals have been actively abusing PACs – an outdated technology, but one that is still supported by some browsers – to redirect victims to fake banking pages. Less than a year later Kaspersky Lab researchers detected the same technique being used in Capper – a banking Trojan targeting Russian banks and most likely created by Russian-speaking cybercriminals.
These are just three examples from a much wider pattern of collaboration, according to Kaspersky Lab researchers. One of the main fruits of the collaboration has been more sophisticated Brazilian malware.
"Just a few years ago, Brazilian banking malware was very basic and easy to detect," said Thiago Marques, security researcher at Kaspersky Lab.
"With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.
"This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways."
A blog post that explains the Kaspersky Lab research in greater depth (featuring screenshots from forums and code snippets) can be found here. ®