SpyEye Creator Got ‘Sloppy,’ Then Got Nabbed
Turns out the key player behind the development and distribution of the infamous SpyEye data-stealing Trojan wasn’t so careful about covering his tracks. Aleksandr Andreevich Panin, aka “Gribodemon” and “Harderman,” inadvertently left a trail that ultimately led to his arrest last summer.
The U.S. Attorney’s Office yesterday announced that Panin had pleaded guilty to charges associated with his role in as the main developer and distributor of SpyEye. Panin, 24, who was arrested by U.S. authorities at Atlanta’s Hartsfield-Jackson Atlanta International Airport on his way back from a trip to the Dominican Republic, left clues of his identity while engaged in underground forums, and inadvertently leaked the email address of a SpyEye server’s controller — which helped investigators unmask him.
Researchers at Trend Micro who tracked Panin and other associates online were able to glean some valuable information from Panin’s online postings as well as SpyEye files that provided valuable intelligence about his identity. “Once we decrypted the files, we had access to a bunch of other files … including a configuration file” with SpyEye customer names that Panin apparently had created, Loucif Kharouni, senior threat researcher with Trend Micro told Dark Reading. “That was a mistake.”
Panin, a Russian national, had gotten a bit too confident and became “sloppy” in his operations, Kharouni says.
The Trend Micro team, who assisted the FBI in the investigation, correlated key information and clues from the SpyEye configuration files with other intelligence they had on hand. They joined underground forums where Panin and his cohorts frequented, and were able to obtain their email addresses, ICQ and Jabber chat numbers that the suspects disclosed to prospective customers.
“But that was 2010 and 2011. From that point, things changed. Now you rarely see cybercriminals disclosing this type of information,” says Kharouni, who posted details of Trend Micro’s findings in a blog post today.
The binaries and configuration files used with the Trojan led Kharouni and his team to a key clue: The decrypted configuration files had the handle “bx1,” Panin’s partner in the enterprise, Hamza Bendelladj, an Algerian national who was arrested in January of 2013 in an airport in Bangkok while in transit from Malaysia to Algeria. He was extradited to the U.S. in May, and faces pending charges in the Northern District of Georgia for his alleged role in SpyEye.
Panin was definitely not as savvy as ZeuS creator Slavik, who remains at large. “Slavik wouldn’t disclose that type of information in an underground forum. And he hasn’t been caught yet,” Kharouni says. “[Panin’s] mistake was that he was [new] and wanted to make an impression, and he wasn’t careful at first.”
Meanwhile, Panin and Bendelladj eventually became more guarded and cautious with their online communications. “But it was too late” for them, he says. “They didn’t expect to get caught traveling.”
Aside from his carelessness online, Panin — like Bx1 — made the mistake of traveling outside of Russia or another nation without a U.S. extradition agreement.
“Panin suffered the same fate as BX1. He traveled and got picked up crossing borders … Although an Algerian native, Bx1 was living in Malaysia and was arrested in Thailand while traveling to Egypt. For Panin, a vacation in the Dominican Republic was what brought him down. These ‘border crossing’ arrests have led the Russian government to issue a rather strange travel advisory: ‘If you are wanted for crimes in the United States, don’t visit Extradition Friendly Countries!'” notes Malcovery researcher Gary Warner in in a post today.
The SpyEye Trojan has infected more than 1.4 million computers around the world, and according to financial services industry data, more than 10,000 bank accounts were hacked via SpyEye infections in 2013. The malware, which steals online banking credentials, credit card data, user names, passwords, PINs, and other sensitive personal information, and sends that information to command and control servers, remains in use today.
Panin and other associates in Russia developed, marketed, and sold versions of the SpyEye malware kit online between 2009 and 2011, selling the malware for anywhere from $1,000 to $8,500 to at lease 150 different customers who in turn deployed the Trojan in cyberattacks. According to the U.S. Attorney, one of Panin’s clients, known as “Soldier,” reportedly netted more than $3.2 million via SpyEye in six months.
International authorities also have arrested four of Panin’s SpyEye clients and associates in the U.K. and Bulgaria as a result of the investigation into his activities.
The FBI in February of 2011 seized a SpyEye command and control server run by Bendelladj in Georgia. that server had control over more than 200 bots infected with SpyEye and included stolen information from various financial institutions. In June and July of that year, FBI undercover agents were able to make contact with Panin online, and purchase a version of the Trojan that steals financial information and includes keylogging and distributed denial-of-service features.
Panin’s case likely signals the end of the SpyEye era. “Only beginners use SpyEye now. Everyone knows it’s not really safe to use anymore, so most have moved on to others like Citadel,” Trend Micro’s Kharouni says.
[A newly discovered online banking fraud tool cheats two-factor authentication, automates the attack, and hides out so that victims can’t see losses or traces of the theft until long after the money is gone. See Zeus/SpyEye ‘Automatic Transfer’ Module Masks Online Banking Theft .]
There are still plenty of unknowns about the SpyEye case, however. “What we do NOT have are more examples of the criminals who actually ran the botnets and whether they are in custody,” Malcovery’s Warner notes. Where are the clients who purchased SpyEye from Bx1, what are their botnets, and how much did they make, he says.
Aside from U.S. authorities, the UK’s National Crime Agency, the Royal Thai Police-Immigration Bureau, the National Police of the Netherlands-National High Tech Crime Unit (NHTCU), Dominican Republic’s Departamento Nacional de Investigaciones (DNI), the Cybercrime Department at the State Agency for National Security-Bulgaria, and the Australian Federal Police (AFP), all had a hand in the investigation, as well as Trend Micro, Microsoft’s Digital Crimes Unit, Mandiant, Dell SecureWorks, Trusteer, and the Norwegian Security Research Team.
“As several recent and widely reported data breaches have shown, cyber attacks pose a critical threat to our nation’s economic security,” said U.S. Attorney Sally Quillian Yates. “Today’s plea is a great leap forward in our campaign against those attacks. Panin was the architect of a pernicious malware known as SpyEye that infected computers worldwide. He commercialized the wholesale theft of financial and personal information. And now he is being held to account for his actions. Cyber criminals be forewarned—you cannot hide in the shadows of the Internet. We will find you and bring you to justice.”
Have a comment on this story? Please click “Add Your Comment” below. If you’d like to contact Dark Reading’s editors directly, send us a message.