Cybercriminals are overcoming language and timezone barriers to cooperate on making malware more dangerous

Kaspersky researchers say Russian and Brazilian cybercriminals are trading tools and techniques to target their respective local victims.
Written by Danny Palmer, Senior Writer

Being on the other side of the world from one another isn't a barrier to cybercriminals working together.

Image: Symantec

Cybercriminals in different hemispheres of the globe are working together to improve malicious tools, software, and techniques used to carry out cyberattacks, researchers have warned.

An investigation by Kaspersky Lab found that cybercriminals situated over 10,000km apart in Brazil and Russia are overcoming substantial time zone differences and language barriers in order to borrow techniques from each other and speed up the development of malware.

It signifies an evolution of ransomware and other forms malicious software, which not so long ago were developed in complete isolation from one another, resulting in tailored cyberattack techniques which gave away the regional origin of the attacks. For example, the Boleto malware, which stole $4 billion in two years, was specific to Brazil, in that it intercepted payments of Boletos, Brazil's version of a money order.

However, researchers have now found that Brazilian and Russian cybercriminals are working together, visiting each other's underground criminal forums to buy and sell malware, as well as to offer services and advice.

"We have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye, and other malware created in the region," Thiago Marques, a security researcher at Kaspersky, writes in a blog post.

Kaspersky first noticed signs of cooperation between hackers in the two countries on a Russian-speaking underground forum, where a user going by the handle Doisti74 stated their interest in buying Brazilian "loads", referring to successful installation of malware onto PCs in Brazil. The same user has also been seen on Brazilian cybercriminal forums, where they spread ransomware to victims in Brazil.


'Doisti74' is known to frequent Russian and Brazilian cybercriminal forums.

Image: Kaspersky

It's just one of many examples of cooperation between Brazilian and Russian cybercriminals identified by Kaspersky Lab. In one instance, Russian banking Trojan Crishi began using an algorithm to generate hosting domains, then just a few months later, the Brazilian actors behind Boleto were using the same infrastructure.

Researchers suggest this couldn't have happened without some form of cooperation between hackers in the two countries, especially as it has made the Brazilian malware more difficult to fight against.

"Just a few years ago, Brazilian banking malware was very basic and easy to detect. With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions, and so on, making their malware much more sophisticated and harder to combat. This is thanks to malicious technologies developed by Russian-speaking criminals," said Marques.

"We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as Brazilian crime develops and looks for new ways to attack businesses and regular people," he adds.

However, it isn't just a one-way street, as there is evidence Brazilian cybercriminal actors also aid their Russian counterparts. For example, Brazilian hackers have actively been using PACs to redirect victims to fake banking pages in order to steal details for some time. The technique is now also used by Russian-speaking cybercrminals who use Trojans to target Russian banks.

For Marques and Kaspersky, there's only one answer to fighting international cooperation between cybercriminals: for law enforcement and security researchers to work in the same way.

"We think the best way to address this kind of international threat is to conduct an international investigation of these activities. Just as cybercrime has no borders, nor should any investigation," he concludes.

Read more on malware

Editorial standards