The Nigerian Spammers From the 90s Have Moved on to Keyloggers and RATs

Share this…

Each day, countless of security researchers are fighting the good fight in an effort to help companies remove malware from infected computers and servers.

These researchers have to go through numerous hoops to get their message across to the proper person inside companies or government organizations who are allowed or can remove these infections from affected devices.

Most of their efforts remain hidden to the casual person, and very few get the credit they deserve for the monumental work they put in on a daily basis.

The silent war researchers wage against cyber-crooks

We’ll be taking a look today at a group of researchers that during the past few months have been reporting malware-infected computers to relevant authorities in countries all over the globe.

This team is formed by MalwareHunter, Daniel Gallagher, and a security researcher that goes online only by the name of Guido.

For the past few months, using data they search and find on VirusTotal, this group has been identifying malware campaigns, tracking down malware C&C servers, and rummaging through countless of data stolen from infected computers.

The group identifies the entity that was infected by malware, usually off-the-shelf commercial keyloggers and remote access trojans, and attempts to contact the company.

These contact attempts usually happen via email and Twitter, directly with the company. If the company is unresponsive, and a vast majority of these infected entities are, the group reaches out to local CERT teams and sometimes law enforcement.

Victims include multinationals, politicians, SMBs

Their efforts have unearthed countless of malware infections, including at companies that have yearly profits bigger than most countries. Furthermore, they found malware on the computer of a Prime Minister from a country they were asked not to name.

Despite these high profile targets, most of the time, the group finds malware at smaller companies, which don’t have the financial resources to set up a cyber-security department or even hire trained cyber-security professionals.

For example, this is just one of the many Twitter threads where the group shares intelligence on the targets they find, and which they can’t get in contact with. The group places this information online in the hopes the company eventually sees it, or someone else with better contacts can lend a helping hand.

Most of these campaigns are carried out by Nigerian hackers

According to MalwareHunter, who spoke with Bleeping Computer in a Twitter conversation, most of these attacks are carried out by groups of hackers based in Nigeria. MalwareHunter puts the number at “about 65-70%” of all the campaigns they find.

Those that know how the cyber-security landscape has evolved in recent years will not be surprised. Nigerian cyber-crooks have evolved from the silly email scams they were pulling in the 90s and early 2000s to using more complex tools and tactics.

Nowadays, these groups of Nigerian hackers, called “yahoo boiz,” “waya waya” or “G-work” in their local communities, are using clever spear-phishing emails to trick victims into installing keyloggers and RATs.

This trend of evolution in the Nigerian cybercrime landscape was noticed by the SecureWorks team last August, and detailed in more depth in a report called “Wire Wire: A West African Cyber Threat.”

Similarly, this week, Kaspersky also discovered a group of Nigerian hackers targeting industrial companies from the metallurgy, electric power, construction, engineering and other sectors.

The group Kaspersky wrote about in a blog post yesterday uses the same tactics detailed by SecureWorks last year, and observed by MalwareHunter and his friends this year.

From email 419 tax scams to RATs and keyloggers

These Nigerian groups aren’t extremely sophisticated, but merely take advantage of free or commercial high-grade hacking tools to carry out more intrusive attacks than they did in previous years.

Basically, the proliferation of hacking tools in recent years has helped previously unskilled spammers to elevate their “hacking” game to new heights of complexity and efficiency.

Kaspersky and MalwareHunter list these tools as common amongst these groups: ZeuS, Pony (FareIT), LokiBot, Luminosity RAT, NetWire RAT, HawkEye, ISR Stealer, iSpy keylogger, NanoCore, and Agent Tesla.

All are keyloggers and RATs that allow an attacker easy access to infected PCs. The groups usually use this access to collect data about targets, which they sell online or use to carry out BEC scams (tricking companies into sending money to bank accounts under their control).

Based only on the data he found on malware C&C servers, MalwareHunter estimates that these hacking groups have stolen between 4 and 5 TBs of data, which contains personally identifiable information from hundreds of thousands of users, from over 1,200 companies. The stolen data belongs guests of hotels, patients of hospitals, clients of travel agencies, business contacts, and many more. Most of the stolen data are small files, such as contracts, Excel spreadsheets, and other small files that hackers can use for reconnaissance. Based on screenshots of hacked computers, MalwareHunter estimates that the hackers have access to petabytes of data, including sensitive CAD design files, private software packages, and other proprietary data.

Poor OpSec exposes the real identities of many of these hackers

Despite using potent hacking tools, these groups often fail to protect their real identities, leaving a trail of clues that many times has led researchers to the attackers’ real email accounts and Facebook profiles.

The researchers have shared the identities of some of these hackers on their Twitter timelines, but which we’ll not be linking due to legal issues.

One researcher who helped MalwareHunter and friends on some investigations claims to have compiled a list of 50+ profiles on suspected hackers, detailed with Facebook profiles, geolocation info, pictures, phone numbers, and other data.

Despite the efforts of researchers to inform compromised companies, the research group says that authorities have not started an investigation on any of these individuals based on the data they supplied.

Researchers are having a hard time notifying victims

As ironic as it sounds, researchers are having a hard time convincing companies that they need to remove malware from infected PCs, let alone persuade them to file legal complaints.

Researchers say that some CERT teams are more responsive than others. For example, CERTs in Jamaica, Denmark, Finland, Armenia, and the Netherlands have responded to their alerts and coordinated with infected companies to remove victims. It’s been slower or complete silence with CERTs from Saudi Arabia, UAE, India, and Portugal.

“Lots of people told us CERTs and companies do not take us seriously because the alerts are free,” said MalwareHunter about their recent efforts. “Some colleagues said this can be a reason some months ago, but that time I didn’t really wanted to believe it. Now, as people repeat that, I have to.”

Although they had little success so far, researchers say they will continue to hunt down malware command and control servers, track down victims, and notify the infected companies.