Cyber-Gang Targets Sensitive Industries With Flexible Botnet
Using a bot program known as Mevade, a group of criminals from Russia and the Ukraine has hit transportation, business services, government and manufacturing industries.Cyber-criminals likely based in Russia and the Ukraine have compromised computers at thousands of companies with a malware program known as Mevade, hijacking search traffic and conducting click fraud to turn the compromised systems into cash, security firm Websense stated in an analysis posted online on Oct. 23. The attack has hit companies in the United States, the United Kingdom, Canada and India, among others, and has targeted the business services, manufacturing and transportation industries, as well as government agencies. The list of targeted industries is interesting because—while the Mevade malware is focused on generating cash for the operators of the botnet—it could easily be turned into a data-stealing espionage network, Alex Watson, director of research for Websense Labs, told eWEEK. "If you look at malware and its capabilities, this group is really going after whatever money they can get," Watson said. "But if you look at the targets, it's definitely concerning. It would only take a change in business model to sell access to a number of critical industries." Mevade is not a new malware program. First detected by Microsoft on July 2, 2013, the program is likely a variant of malware called Sefnit, used by a cyber-criminal group since 2011. In late July, the number of computers infected by the program, and the industries infiltrated by the botnet, rose quickly, peaking in late August and early September, according to data from Websense. Since late September, the pace of compromise has gradually slowed, suggesting that the campaign has ended, Watson said.
The lull is not unusual for criminal activity, he said. In many cases, cyber-criminal groups will stop using a particular binary executable when antivirus firms broadly detect the program and its variants. Infections will slow or stop while the cyber-criminal groups work on creating a version of the program that antivirus software fails to detect, he said.