Trend Micro : Partners With Interpol and Nigeria's EFCC for Operation Killer Bee, Takes Down Nigerian BEC Actors
06/02/2022 | 04:54am EDT
Nigeria's Economic and Financial Crimes Commission (EFCC) arrested three suspected scammers from Nigeria who were involved in global scamming campaigns via a sting operation that is part of Operation Killer Bee. The operation was led by Interpol and National Central Bureaus and law enforcement agencies in various Southeast Asian countries in partnership with Trend Micro, which provided information on the group and their modus operandi.
In early 2020, companies involved in the oil and gas industry were being targeted by malicious actors employing the Agent Tesla malware, just ahead of an Organization of the Petroleum Exporting Countries (OPEC) deal concerning the scaling back of oil production in Russia and Saudi Arabia due to the Covid-19 pandemic situation. Through analysis of a sample used in this attack (detected as TrojanSpy.MSIL.NEGASTEAL.THCAFBB with the SHA-256 hash 0f67d58cb68cf3c5f95308f2542df6ff2e9444dc3efe9dd99dc24ab0f48a4756), we uncovered the malicious actors behind the malware and their modus operandi, which involved disguising themselves as a major petroleum company in Egypt.
The malware we analyzed possesses information and credential theft capabilities in applications and protocols such as browsers, email clients, File Transfer Protocol (FTP), and Wi-Fi, among others. In addition, it can also log keystrokes and takes screenshots.
The malicious actors employing Agent Tesla used the Yandex email service as a drop zone. Through telemetry data, we observed detections originating from countries in the Middle East and Southeast Asia, which makes sense since most of the oil-producing organizations and factories and companies are from these regions. The infection chart shown in Figure 1 shows the data recovered from the drop zone.
Figure 1. Distribution of countries that had recipients receive emails disguised as coming from a major petroleum company (sourced from the Ministry of Petroleum in Egypt). The data was retrieved from the drop zone email@example.com
After months of investigation, we were able to identify the malicious actors behind the campaigns and present it to Interpol and Nigeria's Economic and Financial Crime Commission (EFCC). Furthermore, we were able to elaborate on the impact of the malware in terms of infections and monetary loss. Finally, we also shed light on the malicious actors' modus operandi. These malicious actors, who were from Nigeria, are notorious for using malware such as LokiBot and Agent Tesla.
The EFCC presented this information in a recently concluded conference held in Phuket, Thailand to help strengthen regional and international partnerships. Trend Micro is greatly honored to be part of this conference and we are delighted to share the current and future cyber threat trends (as discussed in our annual security round up, "Navigating New Frontiers")
Interpol, who dubbed this operation Operation Killer Bee, highlighted the arrest of the three malicious actors responsible for deploying Agent Tesla and facilitating business email compromise (BEC) scams using stolen information. The EFCC was able to retrieve images from the malicious actors while Trend Micro helped with forensics analysis.
Along with the May 2022 arrest of Nigerian malicious actors by Interpol and previous arrests from Palo Alto and Group-IB with the support from Trend Micro, the arrest of these malicious actors show the high numbers of threat actor groups operating in Nigeria that are involved in malicious activities such as malware deployment and BEC.
Figure 2. EFCC arrested three malicious actors involved with information-stealing campaigns and BEC scams. Image courtesy of Interpol.
Further details on the malicious actors
The first malicious actor was primarily involved in BEC operations. We discovered from his drop zone that he retrieved some invoice documents which he then used for BEC operations that cost some target companies in Mexico, Spain, United States, and Germany approximately US$60 million. A petroleum gas company in Spain and financial company in Mexico were also targeted for massive amounts of money using stolen invoice documents obtained via information stealers.
The second technically proficient malicious actor was responsible for setting up phishing operations, deploying information stealing malware, and running spam and BEC campaigns, with over 70 phishing URLs . From April 2019 to August 2020, Trend Micro detected 144,000 malicious URLs containing the word "excelz," indicating the directory name of the phishing kit used in the attacks. The majority of these detections were in China, with the United States, Germany, and Japan also among the other countries that had malicious URL detections.
There were 1838 unique domains hosting the excel-themed phishing operation. It is possible this malicious actor rented the phishing kit. This malicious actor helped the first individual we discussed to configure and set up phishing links that had their aliases visible from the directory. Typically, their operations involved compromising a legitimate website's web shell (Xleet) to host the phishing pages. After compromising the website, they will access the control panel using a non-standard port for setting up. There were also non-English phishing scams in languages such as Chinese and Korean. The targeted brands were DHL Express, WebMail Upgrade and SF Express (China).
Figure 3. Phishing page disguised as an encrypted Excel file
Aside from phishing, our second malicious actor also deployed information-stealing malware. Analysis shows that he used Skype and ICQ to communicate with other malicious actors, and Turbo-Mailer to send spam messages containing malware attachments. He also created email services using Gmail to serve as a drop zone for stolen credentials; one of his emails was logged for testing via his Nigerian IP address.
Analysis reveals that the malicious actors targeted companies using identifiers such as country code and the phrase "LTD. PLC," along with other keywords such as "pharmaceuticals," "suppliers," and "manufacturers" in China and other countries. Around 2.3 million email addresses were targeted in their spam campaigns while over 200 SMTP credentials and emails were stolen or hijacked. They also rented fifteen virtual private servers (VPS) with SMTP for these campaigns. Some IP servers were linked to phishing, extortion spam schemes, and tools such as Remcos RAT. Through the connections of the drop zone to the previously-mentioned Agent tesla sample, we were able to link the following Agent Tesla samples:
The third malicious actor pleaded guilty to a four-count charge that included possession of fraudulent documents, obtaining money by false pretense, retention of proceeds of crime, and impersonation. He is linked to 15 email addresses , some of which were used in BEC attacks aimed at companies in countries such as Germany, Japan, and South Korea (with the malicious actor spoofing the name of companies using Gmail). Fraudulent documents requesting money - tallied and estimated to be around US$100,000 - were also used in these BEC attempts. Further investigation revealed that the individual is linked to a cryptocurrency wallet with an amount equivalent to US$133 million
Using the Agent Tesla sample, we observed that the malicious actors have been operating since 2018, initially conducting phishing attacks and deploying information-stealing malware such as LokiBot and Fareit.
The modus operandi shown below in Figure 4 is the typical operation process flow used by the Nigerian malicious actors.
Figure 4. The typical modus operandi used by the Nigerian malicious actors
It starts with the malicious actors scraping the internet for public sites containing email addresses, which will be stored in a text file. They also use tools such as Lite Email Extractor to scrape email addresses. To expand their range of targets the malicious actors also search for specific keywords in Google, such as "LTD PLC" and "manufacturing suppliers."
After obtaining their list of targets, they may share this information with other malicious actors via Skype and ICQ. Their next step would be either to purchase a VPS server with SMTP, or in some cases, hijack a mail server infected with an information-stealing malware. For the VPS server, they will install Gammadyne or Turbo-Mailer to help them compose the phishing email or spam email with a malicious attachment and then embed the list of email addresses. Before doing so, they may also purchase domains and set it up for phishing activities, (sometimes mimicking an official company site). They may obtain information-stealing malware from the cybercriminal underground - typically via Skype - and request for crypter services and support to configure the C&C server and set up C&C server hosting. When these are ready, the malicious actors will run Gammadyne or Turbo-Mailer and leave it running.
To minimize the chance of leaving traces, the malicious actors access the clean VPS servers - which are leased from bulletproof hosting (BPH) services such as Almahosting - via remote desktop protocol (RDP). The malicious actors will then wait for information from the infected machines that will be sent over to the drop zone or C&C server - for example, Agent Tesla can log the email server credentials, web browser activity, the IP address of the victim, and, in some cases, screenshots of the desktop and keystroke recordings. At this stage, they will consolidate the logs of stolen information or share it with other malicious actors so they can proceed to perform BEC. They try to find weak points in the organization and perform activities such as hijacking the email conversation, tampering with the invoices of their bank account, and follow up with the partners and suppliers of the target companies. They can also log into their victim's bank account using their credentials and perform wire transfer fraud while monitoring their victims, biding for the right time to perform social engineering techniques, with the eventual goal of having money transferred to the malicious actors' accounts.
A successful partnership between law enforcement and the private sector
Activities and operations that involve the cooperation of law enforcement and the private sector, such as Operation Killer Bee, allow security organizations and industry experts to provide their skills, resources, and years of experience to law enforcement organizations such as Interpol to augment their strengths in investigating and apprehending malicious actors and cybercrime groups. This partnership has led to many successful cybercriminal takedowns over the past few years.
To this end, we are honored tocollaborate with Interpol, and we hope to continue working with them to strengthen cybersecurity and keep the digital world safe.