Multinational Effort Halts Malware Avalanche

The U.S. Department of Justice on Monday released new details about the multinational takedown of Avalanche, a multimillion-dollar malware and money-laundering network, following a four-year probe led by German police and prosecutors. Assistant Attorney General Leslie R. Caldwell, Acting U.S. Attorney Soo C. Song and Assistant Director Scott S. Smith of the FBI’s Cyber Division made the announcement in Pittsburgh.

Prosecutors and investigators in 40 countries were involved in the probe, led by the Public Prosecutor’s office in Verden, Germany, and police in Luneberg. They received assistance from the DoJ, Eurojust and Europol.

The investigation uncovered a multinational malware campaign that started in 2009, sending out more than a million infected emails with damaging links and attachments.

The cyberthieves managed to use the information to transfer funds from the accounts of unsuspecting victims after stealing their bank and email passwords. The stolen funds, estimated to be in the hundreds of millions of euros, then were redirected to other criminals through a double fast flux infrastructure.

More than 20 families of malware were used, including goznym, marcher, matsnu, urizone, xswkit and pandabaker. Highly organized networks of “mules” bought goods with stolen funds, enabling the cyberthieves to launder money they obtained through the scheme.

Arrests, Seizures

The takedown operation marks the largest ever use of sinkholing to combat botnet infrastructures, and is unprecedented in scale, involving more than 800,000 domains seized, sinkholed or blocked.

Five suspects were arrested, 37 premises were searched, and 39 servers were seized, officials said last week. Victims were found in 180 different countries, and 221 servers were kicked offline through abuse notifications sent to hosting providers.

U.S. District Judge Arthur Schwab late last month granted federal prosecutors a temporary restraining order allowing them to block and reroute data from the infected computers used in the Avalanche malware scheme to prevent further malicious activity, according to Margaret Philbin, spokesperson for the U.S. Attorney’s office in Pittsburgh.

The order essentially allows the illegal data to be trapped and traced over to government controlled systems that can track the illegal activity and protect victims of the scheme.

“People across the globe, including residents and companies here in western Pennsylvania, have been victimized by Avalanche and the malware distributed using its intricate infrastructure,” said Robert Johnson, special agent in charge of the FBI in Pittsburgh.

At least three companies or government entities in Pennsylvania were impacted by the attacks, based on court filings.

From Feb. to April of this year, a New Castle-based firm was targeted with seven unauthorized wire transfers that totaled more than US$243,000, based on an attack using GozNym malware. The wire transfers were stopped before any money was lost.

In January 2015, a government entity in Allegheny County was victim to a Nymaim malware attack and had to pay 6 bitcoins, or about $1,400, to get a decryption tool to rescue its files.

In April of this year a Carnegie business was victim of an ATO fraud using GozNym malware attack that resulted in $387,500 being fraudulently transferred from a Pittsburgh-based financial institution to an account in Bulgaria.

“This investigation highlights once again that through the international cooperation of law enforcement and private industry, we can be as effective investigating criminals in cyberspace as we are on the streets of our communities here at home,” Johnson pointed out.

Classic Moves

Avalanche followed a fairly classic botnet attack pattern, noted Kevin O’Brien, cofounder of GreatHorn.

“A large number of compromised machines were being used to send out large numbers of phishing attacks and spam,” he told TechNewsWorld. “These machines were most likely compromised in a more traditional fashion — using malware, unpatched services and individuals whose personal accounts and credentials were lost or stolen — and then over the course of a number of years assembled into a larger botnet.”

Avalanche was part of a larger trend of phishing attacks in recent years, O’Brien said, with targeted email attacks causing$3.1 billion in damage over the past 18 months, based on FBI data.

David Jones is a freelance writer based in Essex County, New Jersey. He has written for Reuters, Bloomberg, Crain's New York Business and The New York Times.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by David Jones
More in Malware

Technewsworld Channels