Yesterday we saw how Europol published a press release announcing the detention of approximately 700 muleteers all over Europe last February.

These are key operations as they directly affect monetizing of fraud and require participation by international banks, police, security corps and companies for them to take place.
We have been investigating the use of mules in bank frauds since the 21st century, more specifically the operation of bank malware that calls itself ATS. This abbreviation corresponds to the term, Automated Transfer System, and its aim is to act as an automated interface to connect bank Trojans to muleteers captured by the “mule herder.


 interior de un ATS mostrando las conexiones provenientes de la Botnet


Although this has been a very popular attack in recent years, it is in no way new as we have internal records of its use since at least 2011. The fraud process generally consists of the following steps:
1. The user is infected by malware. This normally occurs through a social engineering attack received by mail or during involuntary browsing of an infected web page with an exploit kit.
2. The infected user enters the legal web page of its normal bank and is deceived by the use of social engineering.
3. The deceived user makes the transfer. The malware then connects to the ATS panel which, according to user data, selects a muleteer out of those it has captured to perform the transaction.
4. After performing the transfer, the malware can act in different ways as determined by the cybercriminal: self-elimination, eliminate the operating system or continue as if nothing had happened, falsifying data visible to the user itself.

The graph below shows a general outline of the process.


One of the tasks performed on a daily basis in the department when investigating and analyzing botnets is to check whether the associated malware is able to perform attacks using ATS.
As a result of these analyses, we detected over 150 or so different mules in 2015, prepared to receive transfers made by infected users. The main malware families using these mules were kins, tinba, xswit, pykbot, urlzone and dridex. 

An example of this can be seen below in the location of the muleteers used by tinba botnets.

For us, it is a real challenge to share our work and cooperate with the police and government security companies to try and neutralize and capture all those involved in these fraud schemes, so we are proud to see press releases like the one shown by Europol.
Today, we can be pleased with the work we have done and tomorrow, we will have to detect the 700 mule accounts that are no doubt already being prepared.


Deja un comentario