We have been investigating the use of mules in bank frauds since the 21st century, more specifically the operation of bank malware that calls itself ATS. This abbreviation corresponds to the term, Automated Transfer System, and its aim is to act as an automated interface to connect bank Trojans to muleteers captured by the “mule herder.
Although this has been a very popular attack in recent years, it is in no way new as we have internal records of its use since at least 2011. The fraud process generally consists of the following steps:
1. The user is infected by malware. This normally occurs through a social engineering attack received by mail or during involuntary browsing of an infected web page with an exploit kit.
2. The infected user enters the legal web page of its normal bank and is deceived by the use of social engineering.
3. The deceived user makes the transfer. The malware then connects to the ATS panel which, according to user data, selects a muleteer out of those it has captured to perform the transaction.
4. After performing the transfer, the malware can act in different ways as determined by the cybercriminal: self-elimination, eliminate the operating system or continue as if nothing had happened, falsifying data visible to the user itself.
An example of this can be seen below in the location of the muleteers used by tinba botnets.
Today, we can be pleased with the work we have done and tomorrow, we will have to detect the 700 mule accounts that are no doubt already being prepared.