Incidents

Pinch authors pinched

Today Nikolay Patrushev, head of the Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007.

Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan – two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court.

It’s well known that Pinch is one of the most popular Trojan programs with Russian malicious users. The Trojan makes it possible to steal email, icq and other account data, including to network services and application. The authors of this program, also known as Damrai and Scratch, used Pinch to build a criminal industry.

Anyone who wants can order a customized version of the Trojan, and also get ‘technical support’ from the authors of the program. Russian hacker forums were flooded with advertisements for this ‘service’.

A mass of script-kiddies clearly found the idea attractive – get a functional spy program for a mere few dollars. As a result, the Internet became flooded with Pinch modifications. Our antivirus databases currently contain more than four thousand variants.

At the very lowest estimates, Pinch has caused several hundred thousand infections. It’s impossible to estimate what financial losses have been caused over the years since this Trojan first saw the light of day.

Patrushev’s announcement today clearly shows that the security services are targeting active virus writing groups which participate in cyber crime, and that the steps being taken are meeting with success.

The arrest of the Pinch authors is on a level with the arrests of other well known virus writers such as the author of NetSky and Sasser, and the authors of the Chernobyl and Melissa viruses.

Unfortunately, it doesn’t mean that new variants of Pinch will disappear. Sadly, the source code of this Trojan is circulating on the Internet, and we’ll certainly encounter ‘remakes’ of this pest, created by virus writers who have not yet been arrested.

Pinch authors pinched

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox